c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f

Analysis

max time kernel
151s
max time network
47s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/11/2022, 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f.exe
Size

417KB
MD5

0d11186c3f51c46ed8f1899275cb5eb6
SHA1

00dc60a9fcc6cd3241984b7f4f62a39143b56608
SHA256

c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f
SHA512

84e2ee4b4079fdd2606e0ea3532120ab876262165ac2346c778abb89fe771c0c696ffd568025c01316fd18c8e7fae896f118f62c8ada45629da796d0cae6e09c
SSDEEP

6144:HPOXhCRhrDPePOXhCRhrDPuPOXhCRhrDPGJDJ:HPhR9PePhR9PuPhR9PGJDJ

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1172	tmp7096220.exe
1748	tmp7096329.exe
1408	tmp7096469.exe
1116	tmp7096625.exe
1204	tmp7096735.exe
2040	tmp7096859.exe
1680	notpad.exe
1740	tmp7098622.exe
1052	tmp7098700.exe
1292	notpad.exe
468	tmp7098919.exe
2012	notpad.exe
820	tmp7099090.exe
1528	tmp7099371.exe
1132	notpad.exe
536	tmp7099683.exe
972	tmp7099948.exe
1776	notpad.exe
1956	tmp7100260.exe
988	tmp7100401.exe
2044	notpad.exe
1584	tmp7100728.exe
1120	tmp7101212.exe
280	tmp7101789.exe
648	notpad.exe
1604	tmp7102054.exe
964	notpad.exe
1748	tmp7102553.exe
1408	tmp7102304.exe
1736	notpad.exe
1536	tmp7103224.exe
1796	notpad.exe
1640	tmp7103271.exe
1364	tmp7102959.exe
860	tmp7103411.exe
1992	notpad.exe
1568	tmp7104051.exe
1744	tmp7103692.exe
768	tmp7104129.exe
1560	notpad.exe
1716	tmp7104784.exe
1912	tmp7104909.exe
1380	notpad.exe
1636	tmp7105361.exe
1000	tmp7105658.exe
1988	notpad.exe
676	tmp7105970.exe
1648	tmp7106173.exe
1936	notpad.exe
856	tmp7106750.exe
972	tmp7106968.exe
1068	notpad.exe
988	tmp7107530.exe
1776	tmp7107717.exe
1172	notpad.exe
1120	tmp7108653.exe
280	tmp7108871.exe
1116	notpad.exe
2036	tmp7109511.exe
1604	tmp7109745.exe
1468	notpad.exe
2004	tmp7110431.exe
1048	tmp7110743.exe
1536	notpad.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b0000000122cc-58.dat	upx
behavioral1/files/0x000b0000000122cc-61.dat	upx
behavioral1/files/0x000b0000000122cc-59.dat	upx
behavioral1/files/0x000b0000000122cc-62.dat	upx
behavioral1/files/0x00080000000122e4-69.dat	upx
behavioral1/files/0x00080000000122e4-72.dat	upx
behavioral1/files/0x00080000000122e4-70.dat	upx
behavioral1/files/0x00080000000122e4-74.dat	upx
behavioral1/memory/1748-73-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1584-75-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1116-85-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000900000001230f-90.dat	upx
behavioral1/files/0x000900000001230f-91.dat	upx
behavioral1/files/0x000900000001230f-93.dat	upx
behavioral1/files/0x000900000001230f-94.dat	upx
behavioral1/files/0x00080000000122f9-101.dat	upx
behavioral1/files/0x000900000001230f-104.dat	upx
behavioral1/memory/1680-108-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000900000001230f-109.dat	upx
behavioral1/files/0x000900000001230f-112.dat	upx
behavioral1/memory/1292-113-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000122f9-121.dat	upx
behavioral1/files/0x000900000001230f-125.dat	upx
behavioral1/files/0x000900000001230f-124.dat	upx
behavioral1/memory/1292-132-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x000900000001230f-129.dat	upx
behavioral1/files/0x00080000000122f9-138.dat	upx
behavioral1/files/0x000900000001230f-141.dat	upx
behavioral1/files/0x000900000001230f-142.dat	upx
behavioral1/files/0x000900000001230f-144.dat	upx
behavioral1/memory/2012-150-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000122f9-156.dat	upx
behavioral1/memory/1132-161-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1776-162-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1132-163-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1776-168-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2044-174-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/964-181-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/648-178-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/648-184-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1736-191-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/964-193-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1796-202-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1992-204-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1992-205-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1560-212-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1380-217-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1988-222-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1988-225-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1936-231-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1068-237-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1172-242-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1116-249-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1468-255-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1536-258-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1536-260-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1876-263-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1992-267-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1216-270-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/428-271-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/428-274-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1528-277-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1580-279-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1936-283-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
1584	c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f.exe
1584	c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f.exe
1584	c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f.exe
1584	c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f.exe
1748	tmp7096329.exe
1748	tmp7096329.exe
1748	tmp7096329.exe
1748	tmp7096329.exe
1116	tmp7096625.exe
1116	tmp7096625.exe
1116	tmp7096625.exe
1116	tmp7096625.exe
1204	tmp7096735.exe
1204	tmp7096735.exe
1680	notpad.exe
1680	notpad.exe
1740	tmp7098622.exe
1680	notpad.exe
1740	tmp7098622.exe
1292	notpad.exe
1292	notpad.exe
1816	WerFault.exe
1816	WerFault.exe
468	tmp7098919.exe
468	tmp7098919.exe
1292	notpad.exe
2012	notpad.exe
2012	notpad.exe
1528	tmp7099371.exe
1528	tmp7099371.exe
2012	notpad.exe
1132	notpad.exe
1132	notpad.exe
972	tmp7099948.exe
972	tmp7099948.exe
1132	notpad.exe
1776	notpad.exe
1776	notpad.exe
988	tmp7100401.exe
988	tmp7100401.exe
1776	notpad.exe
2044	notpad.exe
2044	notpad.exe
1120	tmp7101212.exe
1120	tmp7101212.exe
2044	notpad.exe
648	notpad.exe
648	notpad.exe
1604	tmp7102054.exe
1604	tmp7102054.exe
648	notpad.exe
964	notpad.exe
964	notpad.exe
1748	tmp7102553.exe
1748	tmp7102553.exe
1736	notpad.exe
1736	notpad.exe
1536	tmp7103224.exe
1536	tmp7103224.exe
1736	notpad.exe
964	notpad.exe
1796	notpad.exe
1796	notpad.exe
860	tmp7103411.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notpad.exe	tmp7135875.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7141491.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7175562.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7103224.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7101212.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7121632.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7131460.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7135236.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7136468.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7151787.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7232861.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7098622.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7117873.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7123489.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7131460.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7230583.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7098622.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7099948.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7135236.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7161569.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7175562.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7098919.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7136796.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7175562.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7175562.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7194641.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7227682.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7129635.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7143176.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7172785.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7222955.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7225560.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7133364.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7103224.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7104784.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7106750.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7162317.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7169415.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7232861.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7102054.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7108653.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7117873.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7128980.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7131460.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7184298.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7216590.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7237993.exe
File created	C:\Windows\SysWOW64\fsb.stb	tmp7096735.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7105970.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7109511.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7114253.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7117186.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7141491.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7143816.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7184626.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7102553.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7232861.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7127592.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7135875.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7237993.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7103411.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7103411.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp7112350.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7126827.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1816	2040	WerFault.exe	31

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7102054.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7103224.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7118622.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7169415.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7098919.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7099948.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7115361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7129635.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7130197.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7099371.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7104051.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7117186.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7124238.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7132755.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7133364.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7121632.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7141491.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7150399.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7162317.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7175172.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7181038.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7123489.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7126827.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7128278.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7140274.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7186810.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7230583.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7114721.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7136796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7172785.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7100401.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7127592.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7143816.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7167450.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7189867.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7106750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7126094.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7130836.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7134066.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7137420.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7194641.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7101212.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7110431.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7117873.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7122194.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7131460.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7135236.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7151787.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7184298.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7104784.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7108653.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7143176.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7184626.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7114253.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7134643.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7179103.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7222955.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7225560.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7227682.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7232861.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7096735.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7103411.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7105361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7109511.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1584 wrote to memory of 1172	1584	c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f.exe	26
PID 1584 wrote to memory of 1172	1584	c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f.exe	26
PID 1584 wrote to memory of 1172	1584	c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f.exe	26
PID 1584 wrote to memory of 1172	1584	c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f.exe	26
PID 1584 wrote to memory of 1748	1584	c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f.exe	27
PID 1584 wrote to memory of 1748	1584	c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f.exe	27
PID 1584 wrote to memory of 1748	1584	c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f.exe	27
PID 1584 wrote to memory of 1748	1584	c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f.exe	27
PID 1748 wrote to memory of 1408	1748	tmp7096329.exe	28
PID 1748 wrote to memory of 1408	1748	tmp7096329.exe	28
PID 1748 wrote to memory of 1408	1748	tmp7096329.exe	28
PID 1748 wrote to memory of 1408	1748	tmp7096329.exe	28
PID 1748 wrote to memory of 1116	1748	tmp7096329.exe	29
PID 1748 wrote to memory of 1116	1748	tmp7096329.exe	29
PID 1748 wrote to memory of 1116	1748	tmp7096329.exe	29
PID 1748 wrote to memory of 1116	1748	tmp7096329.exe	29
PID 1116 wrote to memory of 1204	1116	tmp7096625.exe	30
PID 1116 wrote to memory of 1204	1116	tmp7096625.exe	30
PID 1116 wrote to memory of 1204	1116	tmp7096625.exe	30
PID 1116 wrote to memory of 1204	1116	tmp7096625.exe	30
PID 1116 wrote to memory of 2040	1116	tmp7096625.exe	31
PID 1116 wrote to memory of 2040	1116	tmp7096625.exe	31
PID 1116 wrote to memory of 2040	1116	tmp7096625.exe	31
PID 1116 wrote to memory of 2040	1116	tmp7096625.exe	31
PID 1204 wrote to memory of 1680	1204	tmp7096735.exe	33
PID 1204 wrote to memory of 1680	1204	tmp7096735.exe	33
PID 1204 wrote to memory of 1680	1204	tmp7096735.exe	33
PID 1204 wrote to memory of 1680	1204	tmp7096735.exe	33
PID 2040 wrote to memory of 1816	2040	tmp7096859.exe	32
PID 2040 wrote to memory of 1816	2040	tmp7096859.exe	32
PID 2040 wrote to memory of 1816	2040	tmp7096859.exe	32
PID 2040 wrote to memory of 1816	2040	tmp7096859.exe	32
PID 1680 wrote to memory of 1740	1680	notpad.exe	34
PID 1680 wrote to memory of 1740	1680	notpad.exe	34
PID 1680 wrote to memory of 1740	1680	notpad.exe	34
PID 1680 wrote to memory of 1740	1680	notpad.exe	34
PID 1680 wrote to memory of 1052	1680	notpad.exe	36
PID 1680 wrote to memory of 1052	1680	notpad.exe	36
PID 1680 wrote to memory of 1052	1680	notpad.exe	36
PID 1680 wrote to memory of 1052	1680	notpad.exe	36
PID 1740 wrote to memory of 1292	1740	tmp7098622.exe	35
PID 1740 wrote to memory of 1292	1740	tmp7098622.exe	35
PID 1740 wrote to memory of 1292	1740	tmp7098622.exe	35
PID 1740 wrote to memory of 1292	1740	tmp7098622.exe	35
PID 1292 wrote to memory of 468	1292	notpad.exe	37
PID 1292 wrote to memory of 468	1292	notpad.exe	37
PID 1292 wrote to memory of 468	1292	notpad.exe	37
PID 1292 wrote to memory of 468	1292	notpad.exe	37
PID 468 wrote to memory of 2012	468	tmp7098919.exe	39
PID 468 wrote to memory of 2012	468	tmp7098919.exe	39
PID 468 wrote to memory of 2012	468	tmp7098919.exe	39
PID 468 wrote to memory of 2012	468	tmp7098919.exe	39
PID 1292 wrote to memory of 820	1292	notpad.exe	38
PID 1292 wrote to memory of 820	1292	notpad.exe	38
PID 1292 wrote to memory of 820	1292	notpad.exe	38
PID 1292 wrote to memory of 820	1292	notpad.exe	38
PID 2012 wrote to memory of 1528	2012	notpad.exe	40
PID 2012 wrote to memory of 1528	2012	notpad.exe	40
PID 2012 wrote to memory of 1528	2012	notpad.exe	40
PID 2012 wrote to memory of 1528	2012	notpad.exe	40
PID 1528 wrote to memory of 1132	1528	tmp7099371.exe	41
PID 1528 wrote to memory of 1132	1528	tmp7099371.exe	41
PID 1528 wrote to memory of 1132	1528	tmp7099371.exe	41
PID 1528 wrote to memory of 1132	1528	tmp7099371.exe	41

C:\Users\Admin\AppData\Local\Temp\c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f.exe
"C:\Users\Admin\AppData\Local\Temp\c4e4812487c4503e2546e72343067700fdd338791e162450f66013facecd118f.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1584
- C:\Users\Admin\AppData\Local\Temp\tmp7096220.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7096220.exe
  2⤵
  - Executes dropped EXE
  PID:1172
- C:\Users\Admin\AppData\Local\Temp\tmp7096329.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7096329.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Users\Admin\AppData\Local\Temp\tmp7096469.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7096469.exe
    3⤵
    - Executes dropped EXE
    PID:1408
- - C:\Users\Admin\AppData\Local\Temp\tmp7096625.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7096625.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1116
  - - C:\Users\Admin\AppData\Local\Temp\tmp7096735.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7096735.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1204
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1680
      - C:\Users\Admin\AppData\Local\Temp\tmp7098622.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098622.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098919.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098919.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099371.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099371.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099948.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099948.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100401.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100401.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101212.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101212.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102054.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102054.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1604
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102553.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102553.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1748
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103224.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103224.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103411.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103411.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        Executes dropped EXE
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104051.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104051.exe
        26⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        Executes dropped EXE
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104784.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104784.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        Executes dropped EXE
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105361.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105361.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105970.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105970.exe
        32⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:676
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        Executes dropped EXE
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106750.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        Executes dropped EXE
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107530.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107530.exe
        36⤵
        Executes dropped EXE
        
        PID:988
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108653.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108653.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109511.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109511.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        Executes dropped EXE
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110431.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110431.exe
        42⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2004
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        Executes dropped EXE
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112350.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112350.exe
        44⤵
        Drops file in System32 directory
        
        PID:1472
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113286.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113286.exe
        46⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114253.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114253.exe
        48⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114721.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114721.exe
        50⤵
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115361.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115361.exe
        52⤵
        Modifies registry class
        
        PID:1616
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        53⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116609.exe
        54⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        55⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117186.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117186.exe
        56⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1308
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        57⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117873.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117873.exe
        58⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        59⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118622.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118622.exe
        60⤵
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        61⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119230.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119230.exe
        62⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        63⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119932.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119932.exe
        64⤵
        
        PID:904
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        65⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120696.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120696.exe
        66⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        67⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121632.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121632.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        69⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122194.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122194.exe
        70⤵
        Modifies registry class
        
        PID:2000
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        71⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123489.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123489.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1364
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        73⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124238.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124238.exe
        74⤵
        Modifies registry class
        
        PID:1984
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        75⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124830.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124830.exe
        76⤵
        
        PID:360
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        77⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125517.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125517.exe
        78⤵
        
        PID:1560
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        79⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126094.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126094.exe
        80⤵
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        81⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126827.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126827.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        83⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127592.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127592.exe
        84⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        85⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128278.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128278.exe
        86⤵
        Modifies registry class
        
        PID:1132
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        87⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128980.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128980.exe
        88⤵
        Drops file in System32 directory
        
        PID:988
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        89⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129635.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129635.exe
        90⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        91⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130197.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130197.exe
        92⤵
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        93⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130836.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130836.exe
        94⤵
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        95⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131460.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131460.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1352
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        97⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132147.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132147.exe
        98⤵
        
        PID:612
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        99⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132755.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132755.exe
        100⤵
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        101⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133364.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133364.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1980
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        103⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134066.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134066.exe
        104⤵
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        105⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134643.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134643.exe
        106⤵
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        107⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135345.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135345.exe
        108⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135516.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135516.exe
        108⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135875.exe
        109⤵
        Drops file in System32 directory
        
        PID:900
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        110⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136796.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:648
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        112⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137841.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137841.exe
        113⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139557.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139557.exe
        113⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140415.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140415.exe
        114⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141210.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141210.exe
        114⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137092.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137092.exe
        111⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137420.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137420.exe
        112⤵
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        113⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140274.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140274.exe
        114⤵
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        115⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141772.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141772.exe
        116⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142396.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142396.exe
        116⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143550.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143550.exe
        117⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143644.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143644.exe
        117⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141023.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141023.exe
        114⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141491.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141491.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:768
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        116⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143176.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143176.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        118⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144830.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144830.exe
        119⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145017.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145017.exe
        119⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145688.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145688.exe
        120⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        121⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146858.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146858.exe
        122⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        123⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150399.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150399.exe
        124⤵
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        125⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152427.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152427.exe
        126⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152567.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152567.exe
        126⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152957.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152957.exe
        127⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154876.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154876.exe
        127⤵
        
        PID:360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150961.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150961.exe
        124⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151787.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151787.exe
        125⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1876
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        126⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156764.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156764.exe
        127⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        128⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158542.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158542.exe
        129⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        130⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161569.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161569.exe
        131⤵
        Drops file in System32 directory
        
        PID:1160
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        132⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163815.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163815.exe
        133⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164579.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164579.exe
        133⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168136.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168136.exe
        134⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168807.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168807.exe
        134⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162271.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162271.exe
        131⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162661.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162661.exe
        132⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163799.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163799.exe
        132⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159275.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159275.exe
        129⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162317.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162317.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:676
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        131⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167216.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167216.exe
        132⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167309.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167309.exe
        132⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167450.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167450.exe
        133⤵
        Modifies registry class
        
        PID:1112
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        134⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169415.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169415.exe
        135⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        136⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172036.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172036.exe
        137⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        138⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173253.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173253.exe
        139⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174049.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174049.exe
        139⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175562.exe
        140⤵
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        141⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179103.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179103.exe
        142⤵
        Modifies registry class
        
        PID:364
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        143⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181256.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181256.exe
        144⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183159.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183159.exe
        144⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184298.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184298.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        146⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186810.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186810.exe
        147⤵
        Modifies registry class
        
        PID:1156
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        148⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194641.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194641.exe
        149⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        150⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200678.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200678.exe
        151⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200818.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200818.exe
        151⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204687.exe
        152⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205545.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205545.exe
        152⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198993.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198993.exe
        149⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203689.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203689.exe
        150⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204547.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204547.exe
        150⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189087.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189087.exe
        147⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189867.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189867.exe
        148⤵
        Modifies registry class
        
        PID:1160
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        149⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199196.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199196.exe
        150⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        151⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207027.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207027.exe
        152⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        153⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216590.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216590.exe
        154⤵
        Drops file in System32 directory
        
        PID:536
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        155⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222362.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222362.exe
        156⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222768.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222768.exe
        156⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222955.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222955.exe
        157⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        158⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225295.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225295.exe
        159⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225404.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225404.exe
        159⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225560.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225560.exe
        160⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2024
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        161⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227682.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227682.exe
        162⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        163⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230802.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230802.exe
        164⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231597.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231597.exe
        164⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232861.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232861.exe
        165⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:856
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        166⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237993.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237993.exe
        167⤵
        Drops file in System32 directory
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238399.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238399.exe
        167⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238539.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238539.exe
        168⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238711.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238711.exe
        168⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235560.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235560.exe
        165⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228758.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228758.exe
        162⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230583.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230583.exe
        163⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        164⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234686.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234686.exe
        165⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236028.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236028.exe
        165⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231551.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231551.exe
        163⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225841.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225841.exe
        160⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223127.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223127.exe
        157⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216731.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216731.exe
        154⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217011.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217011.exe
        155⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221364.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221364.exe
        155⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210101.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210101.exe
        152⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212238.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212238.exe
        153⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221270.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221270.exe
        153⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203736.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203736.exe
        150⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205904.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205904.exe
        151⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211910.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211910.exe
        151⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194625.exe
        148⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184485.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184485.exe
        145⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179244.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179244.exe
        142⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181038.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181038.exe
        143⤵
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        144⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184626.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184626.exe
        145⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        146⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188042.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188042.exe
        147⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189774.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189774.exe
        147⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195842.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195842.exe
        148⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195936.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195936.exe
        148⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185686.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185686.exe
        145⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187652.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187652.exe
        146⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189727.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189727.exe
        146⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181740.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181740.exe
        143⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176685.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176685.exe
        140⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172130.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172130.exe
        137⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172785.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172785.exe
        138⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        139⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175172.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175172.exe
        140⤵
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        141⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176747.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176747.exe
        142⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176888.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176888.exe
        142⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178947.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178947.exe
        143⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180694.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180694.exe
        143⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175312.exe
        140⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175406.exe
        141⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175609.exe
        141⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174002.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174002.exe
        138⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170039.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170039.exe
        135⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170414.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170414.exe
        136⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171256.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171256.exe
        136⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167653.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167653.exe
        133⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163612.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163612.exe
        130⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157497.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157497.exe
        127⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158589.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158589.exe
        128⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161397.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161397.exe
        128⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152911.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152911.exe
        125⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147061.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147061.exe
        122⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148075.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148075.exe
        123⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148683.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148683.exe
        123⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145750.exe
        120⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143285.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143285.exe
        117⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143816.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143816.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        119⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146561.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146561.exe
        120⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147076.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147076.exe
        120⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148121.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148121.exe
        121⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148480.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148480.exe
        121⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144923.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144923.exe
        118⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142146.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7142146.exe
        115⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138262.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138262.exe
        112⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136016.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136016.exe
        109⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134799.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134799.exe
        106⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135236.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135236.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        108⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135750.exe
        109⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136156.exe
        109⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136468.exe
        110⤵
        Drops file in System32 directory
        
        PID:1868
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        111⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137076.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137076.exe
        112⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137326.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137326.exe
        112⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138356.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138356.exe
        113⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139791.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139791.exe
        113⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136608.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136608.exe
        110⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135501.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7135501.exe
        107⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134206.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134206.exe
        104⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134549.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134549.exe
        105⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134705.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134705.exe
        105⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133457.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7133457.exe
        102⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132896.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132896.exe
        100⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132256.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132256.exe
        98⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131835.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7131835.exe
        96⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130946.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130946.exe
        94⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130384.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130384.exe
        92⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129791.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129791.exe
        90⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129136.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129136.exe
        88⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128434.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128434.exe
        86⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127810.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127810.exe
        84⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7127046.exe
        82⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126188.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126188.exe
        80⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125642.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7125642.exe
        78⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124940.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124940.exe
        76⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124534.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124534.exe
        74⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123676.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123676.exe
        72⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122787.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122787.exe
        70⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121742.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121742.exe
        68⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120899.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120899.exe
        66⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120197.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120197.exe
        64⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119542.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119542.exe
        62⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118715.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118715.exe
        60⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118013.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7118013.exe
        58⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117358.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7117358.exe
        56⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116750.exe
        54⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116094.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7116094.exe
        52⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114955.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114955.exe
        50⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114363.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114363.exe
        48⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113536.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113536.exe
        46⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112818.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112818.exe
        44⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110743.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7110743.exe
        42⤵
        Executes dropped EXE
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109745.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7109745.exe
        40⤵
        Executes dropped EXE
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108871.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7108871.exe
        38⤵
        Executes dropped EXE
        
        PID:280
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107717.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7107717.exe
        36⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106968.exe
        34⤵
        Executes dropped EXE
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106173.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7106173.exe
        32⤵
        Executes dropped EXE
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105658.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7105658.exe
        30⤵
        Executes dropped EXE
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104909.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104909.exe
        28⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104129.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7104129.exe
        26⤵
        Executes dropped EXE
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103692.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103692.exe
        24⤵
        Executes dropped EXE
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103271.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7103271.exe
        22⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102959.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102959.exe
        20⤵
        Executes dropped EXE
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102304.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7102304.exe
        18⤵
        Executes dropped EXE
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101789.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7101789.exe
        16⤵
        Executes dropped EXE
        
        PID:280
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100728.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100728.exe
        14⤵
        Executes dropped EXE
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100260.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7100260.exe
        12⤵
        Executes dropped EXE
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099683.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099683.exe
        10⤵
        Executes dropped EXE
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099090.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7099090.exe
        8⤵
        Executes dropped EXE
        
        PID:820
      - C:\Users\Admin\AppData\Local\Temp\tmp7098700.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7098700.exe
        6⤵
        Executes dropped EXE
        
        PID:1052
  - - C:\Users\Admin\AppData\Local\Temp\tmp7096859.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7096859.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2040
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2040 -s 36
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:1816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7096220.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7096329.exe

Filesize
230KB

MD5
5a0c219c10a7dd98b5ab5f7f08ed343d

SHA1
435d4b6baeaca06b571cb287da3063dcd9a23d87

SHA256
b7ad81b8de323d4ba8d2d38a0933128ca8dde5a60cb0c8456c41434e6a57cb0a

SHA512
9405b823fbf3ad7c21cd09432b463c2a13d18fc5e7b55bc6a3b583f2c8521b126ee945a2ad92cb91f652a7924dc43328526d89d8cbb44f5e832f8213d368e40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7096329.exe

Filesize
230KB

MD5
5a0c219c10a7dd98b5ab5f7f08ed343d

SHA1
435d4b6baeaca06b571cb287da3063dcd9a23d87

SHA256
b7ad81b8de323d4ba8d2d38a0933128ca8dde5a60cb0c8456c41434e6a57cb0a

SHA512
9405b823fbf3ad7c21cd09432b463c2a13d18fc5e7b55bc6a3b583f2c8521b126ee945a2ad92cb91f652a7924dc43328526d89d8cbb44f5e832f8213d368e40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7096469.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7096625.exe

Filesize
183KB

MD5
49327bdeaf1a6c167314313c94c0dbae

SHA1
d3486de62675cab18e8d8737a2ee7ff47ed84ee5

SHA256
53d408c198ce7f44989e5c562b78919b2ccfd828ee63ff5a31d891be66043791

SHA512
21cf2d97b0128a893e8e8b6a2ad6b94438b5cf8bd6345d274219b0013b8b24452a8d6143704ba5ec02b8864e08819bfba4ee0ad5ab59ccd5a762c6b367440ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7096625.exe

Filesize
183KB

MD5
49327bdeaf1a6c167314313c94c0dbae

SHA1
d3486de62675cab18e8d8737a2ee7ff47ed84ee5

SHA256
53d408c198ce7f44989e5c562b78919b2ccfd828ee63ff5a31d891be66043791

SHA512
21cf2d97b0128a893e8e8b6a2ad6b94438b5cf8bd6345d274219b0013b8b24452a8d6143704ba5ec02b8864e08819bfba4ee0ad5ab59ccd5a762c6b367440ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7096735.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7096735.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7096859.exe

Filesize
136KB

MD5
3e799949a9b31a56ff693ce911c45ccf

SHA1
b4de03d3e965e666023bfb0fe53cbf1d81b9320d

SHA256
c9d4b0d3d49f0812e02725be751d0732ae1144878e505596ba065cce4d569b31

SHA512
c7cf7026b8fbeb39b33033b0d2817f582b8a7ee47c54c8bd94858069acef3073d6b7d67029b2c62bfa716804d123c222b8c3957bd4f87437996139c08e91b41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7098622.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7098622.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7098700.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7098919.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7098919.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7099090.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7099371.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7099371.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7099683.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7099948.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7096220.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7096220.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7096329.exe

Filesize
230KB

MD5
5a0c219c10a7dd98b5ab5f7f08ed343d

SHA1
435d4b6baeaca06b571cb287da3063dcd9a23d87

SHA256
b7ad81b8de323d4ba8d2d38a0933128ca8dde5a60cb0c8456c41434e6a57cb0a

SHA512
9405b823fbf3ad7c21cd09432b463c2a13d18fc5e7b55bc6a3b583f2c8521b126ee945a2ad92cb91f652a7924dc43328526d89d8cbb44f5e832f8213d368e40c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7096329.exe

Filesize
230KB

MD5
5a0c219c10a7dd98b5ab5f7f08ed343d

SHA1
435d4b6baeaca06b571cb287da3063dcd9a23d87

SHA256
b7ad81b8de323d4ba8d2d38a0933128ca8dde5a60cb0c8456c41434e6a57cb0a

SHA512
9405b823fbf3ad7c21cd09432b463c2a13d18fc5e7b55bc6a3b583f2c8521b126ee945a2ad92cb91f652a7924dc43328526d89d8cbb44f5e832f8213d368e40c

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7096469.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7096469.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7096625.exe

Filesize
183KB

MD5
49327bdeaf1a6c167314313c94c0dbae

SHA1
d3486de62675cab18e8d8737a2ee7ff47ed84ee5

SHA256
53d408c198ce7f44989e5c562b78919b2ccfd828ee63ff5a31d891be66043791

SHA512
21cf2d97b0128a893e8e8b6a2ad6b94438b5cf8bd6345d274219b0013b8b24452a8d6143704ba5ec02b8864e08819bfba4ee0ad5ab59ccd5a762c6b367440ce3

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7096625.exe

Filesize
183KB

MD5
49327bdeaf1a6c167314313c94c0dbae

SHA1
d3486de62675cab18e8d8737a2ee7ff47ed84ee5

SHA256
53d408c198ce7f44989e5c562b78919b2ccfd828ee63ff5a31d891be66043791

SHA512
21cf2d97b0128a893e8e8b6a2ad6b94438b5cf8bd6345d274219b0013b8b24452a8d6143704ba5ec02b8864e08819bfba4ee0ad5ab59ccd5a762c6b367440ce3

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7096735.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7096735.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7096859.exe

Filesize
136KB

MD5
3e799949a9b31a56ff693ce911c45ccf

SHA1
b4de03d3e965e666023bfb0fe53cbf1d81b9320d

SHA256
c9d4b0d3d49f0812e02725be751d0732ae1144878e505596ba065cce4d569b31

SHA512
c7cf7026b8fbeb39b33033b0d2817f582b8a7ee47c54c8bd94858069acef3073d6b7d67029b2c62bfa716804d123c222b8c3957bd4f87437996139c08e91b41a

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7096859.exe

Filesize
136KB

MD5
3e799949a9b31a56ff693ce911c45ccf

SHA1
b4de03d3e965e666023bfb0fe53cbf1d81b9320d

SHA256
c9d4b0d3d49f0812e02725be751d0732ae1144878e505596ba065cce4d569b31

SHA512
c7cf7026b8fbeb39b33033b0d2817f582b8a7ee47c54c8bd94858069acef3073d6b7d67029b2c62bfa716804d123c222b8c3957bd4f87437996139c08e91b41a

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7096859.exe

Filesize
136KB

MD5
3e799949a9b31a56ff693ce911c45ccf

SHA1
b4de03d3e965e666023bfb0fe53cbf1d81b9320d

SHA256
c9d4b0d3d49f0812e02725be751d0732ae1144878e505596ba065cce4d569b31

SHA512
c7cf7026b8fbeb39b33033b0d2817f582b8a7ee47c54c8bd94858069acef3073d6b7d67029b2c62bfa716804d123c222b8c3957bd4f87437996139c08e91b41a

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7096859.exe

Filesize
136KB

MD5
3e799949a9b31a56ff693ce911c45ccf

SHA1
b4de03d3e965e666023bfb0fe53cbf1d81b9320d

SHA256
c9d4b0d3d49f0812e02725be751d0732ae1144878e505596ba065cce4d569b31

SHA512
c7cf7026b8fbeb39b33033b0d2817f582b8a7ee47c54c8bd94858069acef3073d6b7d67029b2c62bfa716804d123c222b8c3957bd4f87437996139c08e91b41a

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7098622.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7098622.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7098700.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7098919.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7098919.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7099090.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7099371.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7099371.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7099683.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7099948.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7099948.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
222KB

MD5
47318c708df7b2a459e43607530fae9a

SHA1
5f208e03969eb163811d5d2828f8498f618907fd

SHA256
49188b7c853308c7dcaab9eeea28dadad3a8eb8f3de9d92dacc60196a63198a3

SHA512
a33ce81a3a8a065c53ba7ce87985c903ee583af7d5e6bd09fb255280d332252902cd0fe37381eb5622bca6ecbd2f5940bbbf8ca42fc1afea93259721958fa34b

Download Submit
memory/428-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/428-271-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/568-288-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/648-184-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/648-178-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/840-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/864-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/864-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/932-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/964-193-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/964-181-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/972-326-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1068-237-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1080-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1080-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1116-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1116-249-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1116-85-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1120-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1132-161-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1132-163-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1132-327-0x00000000024F0000-0x000000000250F000-memory.dmp

Filesize
124KB

Download
memory/1172-63-0x0000000074BB1000-0x0000000074BB3000-memory.dmp

Filesize
8KB

Download
memory/1172-242-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1216-270-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1288-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1292-113-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1292-132-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1372-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1380-217-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1468-255-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1528-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1528-145-0x0000000000510000-0x000000000051D000-memory.dmp

Filesize
52KB

Download
memory/1536-258-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1536-260-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1560-212-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1580-279-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1584-75-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1680-108-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1736-191-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1748-87-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/1748-73-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1748-88-0x0000000000220000-0x000000000023F000-memory.dmp

Filesize
124KB

Download
memory/1764-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1772-333-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1776-162-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1776-168-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1796-202-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1840-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1868-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1868-330-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1876-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1936-283-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1936-231-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1968-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1988-225-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1988-222-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1992-205-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1992-204-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1992-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2004-256-0x0000000000330000-0x000000000034F000-memory.dmp

Filesize
124KB

Download
memory/2004-257-0x00000000005A0000-0x00000000005BF000-memory.dmp

Filesize
124KB

Download
memory/2012-150-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2040-86-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/2044-174-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download