9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

Analysis

max time kernel
23s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 22:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73.exe
Size

112KB
MD5

9cb9f8e32e51ecef897563c0f5e8cd85
SHA1

2bc90dbb1efe3982cba4a6367af726f82c2aa79a
SHA256

9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73
SHA512

b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0
SSDEEP

384:6FVe6h5aBTLhyQnPLmlmFwlyyB5f3ggWBh9tsLGhqaaFlHmzTGf8:6NadL80My45fgFh9tsLDQzTGf

Score

10^/10

persistence

Malware Config

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	3924	arp.exe	1075

Executes dropped EXE 64 IoCs

pid	Process
4520	winpub.exe
4988	winpub.exe
4964	winpub.exe
2896	winpub.exe
1952	winpub.exe
2560	winpub.exe
4056	winpub.exe
3820	winpub.exe
3648	winpub.exe
1892	winpub.exe
1424	winpub.exe
4452	winpub.exe
4248	winpub.exe
3484	winpub.exe
4576	winpub.exe
4544	winpub.exe
4748	winpub.exe
3708	winpub.exe
4784	winpub.exe
3984	winpub.exe
3668	winpub.exe
752	winpub.exe
2268	winpub.exe
4684	winpub.exe
456	winpub.exe
1436	winpub.exe
4928	winpub.exe
4744	winpub.exe
1468	winpub.exe
1952	winpub.exe
308	winpub.exe
3820	winpub.exe
224	winpub.exe
1792	arp.exe
3184	winpub.exe
4204	arp.exe
4408	winpub.exe
4524	winpub.exe
3232	winpub.exe
1732	winpub.exe
3320	winpub.exe
3472	winpub.exe
2296	winpub.exe
2496	winpub.exe
5044	winpub.exe
4116	winpub.exe
1640	winpub.exe
3984	arp.exe
2424	arp.exe
2380	winpub.exe
2000	winpub.exe
4272	arp.exe
4876	winpub.exe
3496	winpub.exe
1708	arp.exe
3932	Conhost.exe
4772	winpub.exe
1332	winpub.exe
4048	winpub.exe
5116	Conhost.exe
332	Conhost.exe
4568	arp.exe
4584	Conhost.exe
2392	Conhost.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	winpub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	winpub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	winpub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	arp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	arp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winpub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	arp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	arp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winpub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winpub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	arp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	arp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winpub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	winpub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	winpub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	winpub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winpub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	winpub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winpub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	Conhost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winpub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	arp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	winpub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	winpub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	winpub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	winpub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	Conhost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	arp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	winpub.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winpub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	winpub.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	arp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\winpub = "C:\\Windows\\system32\\winpub.exe"	Process not Found
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Process not Found

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\winpub.exe	winpub.exe
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	winpub.exe
File created	C:\Windows\SysWOW64\winpub.exe	winpub.exe
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	winpub.exe
File created	C:\Windows\SysWOW64\winpub.exe	winpub.exe
File created	C:\Windows\SysWOW64\winpub.exe	winpub.exe
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	winpub.exe
File created	C:\Windows\SysWOW64\winpub.exe	winpub.exe
File created	C:\Windows\SysWOW64\winpub.exe	Conhost.exe
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	winpub.exe
File created	C:\Windows\SysWOW64\winpub.exe	winpub.exe
File created	C:\Windows\SysWOW64\winpub.exe	winpub.exe
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	arp.exe
File created	C:\Windows\SysWOW64\winpub.exe	Conhost.exe
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	winpub.exe
File created	C:\Windows\SysWOW64\winpub.exe	winpub.exe
File created	C:\Windows\SysWOW64\winpub.exe	winpub.exe
File created	C:\Windows\SysWOW64\winpub.exe	winpub.exe
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	winpub.exe
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	winpub.exe
File created	C:\Windows\SysWOW64\winpub.exe	winpub.exe
File created	C:\Windows\SysWOW64\winpub.exe	arp.exe
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	winpub.exe
File created	C:\Windows\SysWOW64\winpub.exe	arp.exe
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	winpub.exe
File created	C:\Windows\SysWOW64\winpub.exe	winpub.exe
File created	C:\Windows\SysWOW64\winpub.exe	winpub.exe
File created	C:\Windows\SysWOW64\winpub.exe	Conhost.exe
File created	C:\Windows\SysWOW64\winpub.exe	Conhost.exe
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	arp.exe
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found
File created	C:\Windows\SysWOW64\winpub.exe	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 928 wrote to memory of 4780	928	9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73.exe	80
PID 928 wrote to memory of 4780	928	9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73.exe	80
PID 928 wrote to memory of 4780	928	9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73.exe	80
PID 928 wrote to memory of 4520	928	9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73.exe	81
PID 928 wrote to memory of 4520	928	9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73.exe	81
PID 928 wrote to memory of 4520	928	9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73.exe	81
PID 4520 wrote to memory of 3172	4520	winpub.exe	83
PID 4520 wrote to memory of 3172	4520	winpub.exe	83
PID 4520 wrote to memory of 3172	4520	winpub.exe	83
PID 4520 wrote to memory of 4988	4520	winpub.exe	84
PID 4520 wrote to memory of 4988	4520	winpub.exe	84
PID 4520 wrote to memory of 4988	4520	winpub.exe	84
PID 4988 wrote to memory of 4736	4988	winpub.exe	86
PID 4988 wrote to memory of 4736	4988	winpub.exe	86
PID 4988 wrote to memory of 4736	4988	winpub.exe	86
PID 4988 wrote to memory of 4964	4988	winpub.exe	88
PID 4988 wrote to memory of 4964	4988	winpub.exe	88
PID 4988 wrote to memory of 4964	4988	winpub.exe	88
PID 4964 wrote to memory of 4584	4964	winpub.exe	89
PID 4964 wrote to memory of 4584	4964	winpub.exe	89
PID 4964 wrote to memory of 4584	4964	winpub.exe	89
PID 4964 wrote to memory of 2896	4964	winpub.exe	90
PID 4964 wrote to memory of 2896	4964	winpub.exe	90
PID 4964 wrote to memory of 2896	4964	winpub.exe	90
PID 2896 wrote to memory of 4208	2896	winpub.exe	92
PID 2896 wrote to memory of 4208	2896	winpub.exe	92
PID 2896 wrote to memory of 4208	2896	winpub.exe	92
PID 2896 wrote to memory of 1952	2896	winpub.exe	93
PID 2896 wrote to memory of 1952	2896	winpub.exe	93
PID 2896 wrote to memory of 1952	2896	winpub.exe	93
PID 1952 wrote to memory of 2984	1952	winpub.exe	99
PID 1952 wrote to memory of 2984	1952	winpub.exe	99
PID 1952 wrote to memory of 2984	1952	winpub.exe	99
PID 1952 wrote to memory of 2560	1952	winpub.exe	95
PID 1952 wrote to memory of 2560	1952	winpub.exe	95
PID 1952 wrote to memory of 2560	1952	winpub.exe	95
PID 2560 wrote to memory of 2364	2560	winpub.exe	97
PID 2560 wrote to memory of 2364	2560	winpub.exe	97
PID 2560 wrote to memory of 2364	2560	winpub.exe	97
PID 2560 wrote to memory of 4056	2560	winpub.exe	98
PID 2560 wrote to memory of 4056	2560	winpub.exe	98
PID 2560 wrote to memory of 4056	2560	winpub.exe	98
PID 4056 wrote to memory of 1832	4056	winpub.exe	101
PID 4056 wrote to memory of 1832	4056	winpub.exe	101
PID 4056 wrote to memory of 1832	4056	winpub.exe	101
PID 4056 wrote to memory of 3820	4056	winpub.exe	102
PID 4056 wrote to memory of 3820	4056	winpub.exe	102
PID 4056 wrote to memory of 3820	4056	winpub.exe	102
PID 3820 wrote to memory of 1744	3820	winpub.exe	104
PID 3820 wrote to memory of 1744	3820	winpub.exe	104
PID 3820 wrote to memory of 1744	3820	winpub.exe	104
PID 3820 wrote to memory of 3648	3820	winpub.exe	106
PID 3820 wrote to memory of 3648	3820	winpub.exe	106
PID 3820 wrote to memory of 3648	3820	winpub.exe	106
PID 3648 wrote to memory of 1992	3648	winpub.exe	107
PID 3648 wrote to memory of 1992	3648	winpub.exe	107
PID 3648 wrote to memory of 1992	3648	winpub.exe	107
PID 3648 wrote to memory of 1892	3648	winpub.exe	108
PID 3648 wrote to memory of 1892	3648	winpub.exe	108
PID 3648 wrote to memory of 1892	3648	winpub.exe	108
PID 1892 wrote to memory of 1440	1892	winpub.exe	110
PID 1892 wrote to memory of 1440	1892	winpub.exe	110
PID 1892 wrote to memory of 1440	1892	winpub.exe	110
PID 1892 wrote to memory of 1424	1892	winpub.exe	111

C:\Users\Admin\AppData\Local\Temp\9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73.exe
"C:\Users\Admin\AppData\Local\Temp\9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:928
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:4780
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4520
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:3172
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:4736
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4964
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:4584
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:2896
      - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        6⤵
        
        PID:4208
      - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:1952
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2560
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        8⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4056
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        9⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        9⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3820
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        10⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        10⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        11⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        11⤵
        Executes dropped EXE
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        12⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        13⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        14⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        14⤵
        
        PID:224
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        13⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1424
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        13⤵
        
        PID:312
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4452
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4248
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        15⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3484
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        16⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        16⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4576
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        17⤵
        
        PID:4808
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        17⤵
        Executes dropped EXE
        
        PID:4544
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        18⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        18⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4748
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        19⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        19⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3708
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        20⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        20⤵
        Executes dropped EXE
        
        PID:4784
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        21⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3984
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        22⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        22⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        18⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        19⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        20⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        20⤵
        
        PID:844
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        19⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        19⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        20⤵
        
        PID:4160
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        21⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        22⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        23⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        24⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        24⤵
        
        PID:456
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        25⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        26⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        26⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        25⤵
        
        PID:3876
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        24⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        24⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        25⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        26⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        27⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        27⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        26⤵
        
        PID:4624
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        25⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        23⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        22⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        21⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        20⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        19⤵
        
        PID:64
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        18⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        15⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        14⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        7⤵
        
        PID:2984
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:4988
      - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        6⤵
        
        PID:1588
      - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        6⤵
        
        PID:2180
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:3480

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:2384

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3668
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:3980
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:752
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:2960
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    - Executes dropped EXE
    PID:2268
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:684
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:4684
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:3868
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        Executes dropped EXE
        
        PID:456
      - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:1436
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        7⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4928

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:4000

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:4908

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
- Executes dropped EXE
PID:4744
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:396
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  - Executes dropped EXE
  PID:1468
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:4764
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    - Executes dropped EXE
    PID:1952
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:2560
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:308
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:3820
      - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        6⤵
        Executes dropped EXE
        
        PID:224
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        7⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        8⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3184
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        9⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        9⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        10⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        11⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        12⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        13⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        14⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        15⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        16⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        17⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        18⤵
        Drops file in System32 directory
        
        PID:524
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        19⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        20⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        21⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        21⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        21⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        21⤵
        
        PID:3468
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        20⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        19⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        18⤵
        
        PID:3672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        17⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        18⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        19⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        20⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        21⤵
        
        PID:1252
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        22⤵
        
        PID:440
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        23⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        24⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        25⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        26⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        27⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        27⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4272
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        27⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        27⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        26⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        25⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        24⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        23⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        22⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        21⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        20⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        20⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        21⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        21⤵
        
        PID:3112
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        20⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        19⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        18⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        16⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        15⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        15⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        15⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        16⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        17⤵
        
        PID:3740
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        18⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        19⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        20⤵
        
        PID:932
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        21⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        22⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        23⤵
        
        PID:896
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        24⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        25⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        26⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        27⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        28⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        29⤵
        
        PID:3048
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        30⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        31⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        32⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        32⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        31⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        30⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        29⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        28⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        27⤵
        
        PID:312
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        26⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        25⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        24⤵
        
        PID:2324
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        25⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:4584
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        23⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        22⤵
        
        PID:4888
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        21⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        20⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        19⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3528
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        18⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        17⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        16⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        14⤵
        
        PID:456
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        13⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        13⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        14⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        15⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        16⤵
        
        PID:928
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        17⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        17⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        16⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        15⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        14⤵
        
        PID:220
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        13⤵
        
        PID:4316
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        12⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        12⤵
        Adds Run key to start application
        
        PID:2960
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        11⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        10⤵
        
        PID:632
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        8⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        7⤵
        
        PID:548
      - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        6⤵
        
        PID:2364

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:3816

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
- Executes dropped EXE
PID:4524
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:3232
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    - Executes dropped EXE
    PID:1732
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:3320
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:312
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:752
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:2916
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:5016
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:4468

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3472
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:2296
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    - Executes dropped EXE
    PID:2496
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:4692
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      Drops file in System32 directory
      PID:5044
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:4116
      - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        6⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        7⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        7⤵
        
        PID:3984
      - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        6⤵
        
        PID:2292
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:2488
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:2036
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:3340

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:4916

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:4424

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:4408

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:820

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:4876
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:3496
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:1708
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:3932
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:4944
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:4268

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:1876

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:4040

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:4272

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:928

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1332
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:4048
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:5116
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:332
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:2324
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:2572
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:5020

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:4568
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:4584
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:3264
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:2392
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:4608
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:5048
      - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        6⤵
        
        PID:524
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        7⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        8⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        9⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        9⤵
        
        PID:2340
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        10⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        11⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        12⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        13⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        13⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        14⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        15⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        16⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        17⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        18⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        19⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        19⤵
        
        PID:3528
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        20⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        21⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        22⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        23⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        24⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        25⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        26⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        27⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        27⤵
        Drops file in System32 directory
        
        PID:4984
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        28⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        29⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        30⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        31⤵
        
        PID:2900
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        32⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        33⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        33⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        32⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        31⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        30⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        29⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        28⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        26⤵
        
        PID:3416
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        26⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        27⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        27⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        26⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        25⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        24⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        23⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        24⤵
        
        PID:4696
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        25⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        26⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        27⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        28⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        29⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        30⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        31⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        31⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        30⤵
        
        PID:752
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        29⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        28⤵
        
        PID:488
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        27⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        28⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        28⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        26⤵
        
        PID:4072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        27⤵
        
        PID:4280
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        25⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        26⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        27⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        28⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        28⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        27⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        24⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        25⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        22⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        21⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        20⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        18⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        17⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        16⤵
        
        PID:312
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        15⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        14⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        15⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        16⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        17⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        17⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        16⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        15⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        13⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        14⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        15⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        15⤵
        Executes dropped EXE
        
        PID:3320
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        16⤵
        
        PID:844
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        17⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        17⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        16⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        14⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        13⤵
        
        PID:3164
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        12⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        11⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        11⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        12⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        13⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        13⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        12⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        13⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        13⤵
        
        PID:3088
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        11⤵
        
        PID:1340
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        10⤵
        
        PID:4452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        11⤵
        
        PID:4468
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        9⤵
        
        PID:3612
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        10⤵
        
        PID:2008
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        9⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        8⤵
        
        PID:4280
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        7⤵
        
        PID:4200
      - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        6⤵
        
        PID:4196
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:3816
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:4788
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:1792

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:240

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:4736

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
- Executes dropped EXE
PID:4772

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:2008

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:2000

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:2268
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:4912
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:4608
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:3388
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:4372
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:1992
      - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        6⤵
        
        PID:1256
      - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        6⤵
        
        PID:3848
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2392
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:1844
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:396

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:2380

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:2188

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5016

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2488

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
- Executes dropped EXE
PID:308
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:2204
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:1876

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:4612

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:1344
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:3724
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:1452
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:2696
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:4792
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:1664
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      Drops file in System32 directory
      PID:2340
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:3092
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:1856
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:2952
      - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        6⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        7⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        8⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        7⤵
        
        PID:4316
      - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        6⤵
        
        PID:1804
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:400
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:3480
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:2876
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:2332
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:2896
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:1344
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:4820
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:2220
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:4268

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:1280

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:3488
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:3516
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:2632
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:4968
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:2640
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:4432
      - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        6⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        7⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        8⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        9⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        10⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        10⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        11⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        12⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        13⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        14⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        15⤵
        
        PID:624
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        16⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        17⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        18⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        19⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        19⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        20⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        21⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        22⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        23⤵
        
        PID:220
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        24⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        25⤵
        
        PID:868
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        26⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        26⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        25⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        24⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        25⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        26⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        27⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        27⤵
        
        PID:548
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        26⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        25⤵
        
        PID:1280
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        23⤵
        
        PID:224
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        22⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        21⤵
        
        PID:3288
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        20⤵
        
        PID:2352
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        21⤵
        Executes dropped EXE
        
        PID:332
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        18⤵
        
        PID:332
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        17⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        18⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        19⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        20⤵
        
        PID:3672
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        21⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        22⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        23⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        24⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        25⤵
        
        PID:2304
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        25⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        24⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        23⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        22⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        21⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        20⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        19⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        18⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        16⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        15⤵
        Executes dropped EXE
        
        PID:4204
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        14⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        13⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        12⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        11⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        9⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        8⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        7⤵
        
        PID:4272
      - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        6⤵
        
        PID:2208
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:1864
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:3528

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:2288

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:1092

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:3764

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:4420

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:928
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:4848
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:2876
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:1588
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:4784
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:5020

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:440
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:2336
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:5116
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:4064
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:1484
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:1936
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:4196

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:4340
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:2836
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:4500

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:2384

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:2164

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:1948
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:2188
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1640
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:4304
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:3176
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:1132
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:1956
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:1668
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:4952

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:3984

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:3724
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:2364
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:4900
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:3972
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:5016
      - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        6⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        7⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        8⤵
        
        PID:4176
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        8⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        7⤵
        
        PID:228
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        8⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        9⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        10⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        11⤵
        
        PID:440
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        12⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        13⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        14⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        14⤵
        
        PID:4192
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        13⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        12⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        11⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        10⤵
        
        PID:2092
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        9⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        8⤵
        
        PID:3816
      - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        6⤵
        
        PID:4040
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:2780
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:1464
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:3124
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:4344

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:4864

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:4580
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:4552
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:3364
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:1372
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:1760
      - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        6⤵
        Executes dropped EXE
        
        PID:2380
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        7⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        8⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        9⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        10⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        11⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        12⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        12⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        11⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        10⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        9⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        8⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        7⤵
        
        PID:684
      - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        6⤵
        
        PID:4568
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:1856
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:4684
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3416
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:1624
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:4504

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:1528

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:3244
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:4280
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:3488
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:3708
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:1336
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:1952
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:3980
      - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        6⤵
        
        PID:3472
      - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        6⤵
        
        PID:5080
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:4952
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      Executes dropped EXE
      PID:2424
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:4748
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:3972
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:3164
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:3384
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:1416

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:2708

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:3496

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:4884

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:2656
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:4764
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:1440
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:4856
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:4340

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:4056
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:4008
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:3104
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:4840
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:4016
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:4852
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:2672
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:3328
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:4964

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:2232

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:1500

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:2328
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:4268
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:5100
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:1892
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:4724
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:4328
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:4432

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:2324

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:4728
- C:\Windows\System32\Conhost.exe
  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
  2⤵
  - Drops file in System32 directory
  PID:2436

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:4524

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4184

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:4888
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:1832
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:4160
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:4704
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:5112
      - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        6⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        7⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        8⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        9⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        10⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        11⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        12⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        13⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        14⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        15⤵
        
        PID:4744
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        16⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        16⤵
        
        PID:4676
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        15⤵
        
        PID:3588
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        16⤵
        
        PID:688
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        16⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        14⤵
        
        PID:808
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        13⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        11⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        11⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        11⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        10⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        8⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        7⤵
        
        PID:2288
      - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        6⤵
        
        PID:1772
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:5084
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:2844
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:2624
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:5088

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:4548

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:4624
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:4332
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:4256

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:3748

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:312
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:4600
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:4544

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:4344
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:2232
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:4816
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:4912
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:3228
      - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        6⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        7⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        8⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        9⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        10⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        10⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        11⤵
        
        PID:2332
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        12⤵
        Executes dropped EXE
        
        PID:3496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:4200
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        12⤵
        
        PID:2844
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        13⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        11⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        10⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        9⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2696
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        8⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        8⤵
        
        PID:1120
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:3852
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:1760
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:4180
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:3480
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:2336
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:2268
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      PID:1708
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:1484

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:4080
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:3164
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:4372
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:820
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:4788

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:1436
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:1668
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:3468
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:3488
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:3180

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:3124

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:1736
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:4256
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:5056
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:4576
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:2784
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:4224
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Executes dropped EXE
    PID:3932
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:3748

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:3940

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:3876

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:3816

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4040

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:3108

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:3924

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:1768

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:3692
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:1920
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:4976
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:3652
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:3480
      - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        6⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        7⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        7⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        7⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        8⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        9⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        10⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        11⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        12⤵
        
        PID:3552
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        12⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        11⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        11⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        11⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        10⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        9⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        8⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        7⤵
        
        PID:1588
      - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        6⤵
        
        PID:2916
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:3996
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:4160
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:1416
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:2572

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:3092

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:4736

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:1140

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:1948

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:3436
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:2244
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:4944
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:2212

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:4396

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:820
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:684
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:3500
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:4064
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:4720
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:2016
      - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        6⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        7⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        8⤵
        
        PID:4648
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        9⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        10⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        11⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        12⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        13⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        14⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        15⤵
        
        PID:688
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        16⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        17⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        18⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        19⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        20⤵
        
        PID:544
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        20⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        19⤵
        
        PID:3496
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        20⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        20⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        21⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        22⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        23⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        23⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        24⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        24⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        25⤵
        
        PID:308
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        25⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        22⤵
        
        PID:1460
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        21⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        20⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        18⤵
        
        PID:820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        19⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        17⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        16⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        15⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        14⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        13⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        12⤵
        
        PID:3364
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        11⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        10⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        9⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        8⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        7⤵
        
        PID:2364
      - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        6⤵
        
        PID:2352
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:3520
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:3984
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:1356
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:1080
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:4812
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:1460
      - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        6⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        7⤵
        
        PID:844
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        8⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        9⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        10⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        11⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        12⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        13⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        14⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        14⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        14⤵
        
        PID:3108
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        14⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        13⤵
        
        PID:932
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        14⤵
        
        PID:4116
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        14⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        12⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        11⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        10⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        9⤵
        Adds Run key to start application
        
        PID:4608
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        9⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        10⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        10⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        9⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        8⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        7⤵
        
        PID:1544
      - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        6⤵
        
        PID:3088
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:1116
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:4000
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:4888

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:4964

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3764

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:5040
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:3336
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:2336
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:2904
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:1264

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:548

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:4576
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:2128
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  - Executes dropped EXE
  PID:4568

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:1996

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:928

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:4248

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:3880

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:4920

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:3692

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:4044

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
- Process spawned unexpected child process
PID:4648

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:1856

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:3092
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:3632
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:4328
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:2364
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:4548

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:4936

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
- Drops file in System32 directory
PID:4652

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:1344

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:1112
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:1832
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:2004
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:2900
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:4452
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:4072
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:688
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:2068
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:3692
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:3108
      - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        6⤵
        
        PID:1328
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        7⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        8⤵
        Adds Run key to start application
        
        PID:3936
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        9⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        10⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        11⤵
        
        PID:364
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        12⤵
        
        PID:1256
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        12⤵
        
        PID:4372
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        11⤵
        
        PID:4040
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        10⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        9⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        8⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        9⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        10⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        11⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        12⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        12⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        11⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        10⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        9⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        7⤵
        
        PID:2644
      - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        6⤵
        
        PID:3724
      - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        6⤵
        
        PID:4952
      - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        6⤵
        
        PID:2496
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:3580
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:2664
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:4012

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:4692

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:5060
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:3868
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    PID:5116
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:4556
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:2796
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:4592
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:2624
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:4856
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:4912
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:3388

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:3456

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:2296
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:1816
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:4552

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:3112

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:2336
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:4220
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:932
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:4728
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:1284

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
- Adds Run key to start application
- Drops file in System32 directory
PID:2204
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:4692
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:1852
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:4176
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:228
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:3104
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:1252
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:3176
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:3496

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:4500

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:3852
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:3228
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:1196
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:4956
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:2424
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:1760
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:2708

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:2656

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:4960

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:396
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:2952
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:4080
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:4016
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:560
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:456
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:1732
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:1372
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:4928

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:1552

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:2208

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:2424

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:4532

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:1768

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
- Adds Run key to start application
PID:1452

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:3640

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:2680

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:3120

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:456
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:3672
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:4072
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:3124
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:3944
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:2904
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:4144
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:4196
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:1920

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:3480

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:1116
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:332
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:1328
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:4972
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:3980
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:364
      - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        6⤵
        
        PID:3328
      - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        6⤵
        
        PID:3468
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:64
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:4060

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:2332

C:\Windows\SysWOW64\winpub.exe
C:\Windows\system32\winpub.exe
1⤵
PID:3164
- C:\Windows\SysWOW64\winpub.exe
  C:\Windows\system32\winpub.exe
  2⤵
  PID:4908
- - C:\Windows\SysWOW64\winpub.exe
    C:\Windows\system32\winpub.exe
    3⤵
    PID:2656
  - - C:\Windows\SysWOW64\winpub.exe
      C:\Windows\system32\winpub.exe
      4⤵
      PID:5088
    - - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        5⤵
        
        PID:2296
      - C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        6⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        7⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        8⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        9⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        10⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        11⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        12⤵
        
        PID:3448
        
        C:\Windows\SysWOW64\winpub.exe
        
        C:\Windows\system32\winpub.exe
        13⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        13⤵
        
        PID:4896
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        12⤵
        
        PID:4220
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        11⤵
        
        PID:4248
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        10⤵
        
        PID:912
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        9⤵
        
        PID:3848
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        8⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        7⤵
        
        PID:2220
      - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        6⤵
        
        PID:2844
    - - C:\Windows\SysWOW64\arp.exe
        
        arp.exe
        5⤵
        
        PID:456
  - - C:\Windows\SysWOW64\arp.exe
      arp.exe
      4⤵
      PID:1140
- - C:\Windows\SysWOW64\arp.exe
    arp.exe
    3⤵
    PID:3648
- C:\Windows\SysWOW64\arp.exe
  arp.exe
  2⤵
  PID:4048

C:\Windows\SysWOW64\arp.exe
arp.exe
1⤵
PID:3196

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:5056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
C:\Windows\SysWOW64\winpub.exe

Filesize
112KB

MD5
9cb9f8e32e51ecef897563c0f5e8cd85

SHA1
2bc90dbb1efe3982cba4a6367af726f82c2aa79a

SHA256
9513e8f3589c60c043962657989ca9854a4804bc67aac06d53e58353fb355f73

SHA512
b1b947a960bcf285488e3d69f32de8ddffeb4552c4f8da2f2ff98d9d6301ec4f59311b6a845b28fec62c2664032a4999996921cb518a3caee1e302930e97b3c0

Download Submit
memory/224-267-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/308-263-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/456-239-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/752-226-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/928-138-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/928-132-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1332-319-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1424-183-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1436-242-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1468-255-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1640-294-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1708-312-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1732-281-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1792-269-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1892-178-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1892-174-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1952-259-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1952-157-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2000-304-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2268-230-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2296-287-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2380-301-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2424-300-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2424-298-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2496-289-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2560-162-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2896-153-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3184-270-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3232-278-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3320-282-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3472-284-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3484-195-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3496-310-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3648-173-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3668-223-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3708-209-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3820-169-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3820-264-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3932-315-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3984-218-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3984-297-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4048-318-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4056-165-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4116-292-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4204-273-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4248-190-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4272-306-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4408-275-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4452-186-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4520-140-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4524-276-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4544-203-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4576-198-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4684-234-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4744-251-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4748-206-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4772-314-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4784-215-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4876-308-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4928-247-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4928-245-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4964-149-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4988-145-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5044-290-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download