dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a

Analysis

max time kernel
156s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 20:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a.exe
Size

9.6MB
MD5

baee066a147e3e7cc605f525c1b3b917
SHA1

0a7b1193fb18a9bb20632537f77c1aacf961ee0a
SHA256

dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a
SHA512

7d77fc0f8dc5b90ed7c2d0c10aeaa0e715918bd191ed7507a1f0c5bf57ed05503b06114ea86d7aa1a8971c559ad41498aed042be2086ef809ab220adb0777561
SSDEEP

24576:aDyTFtj+DyTFtjFDyTFtjBDyTFtjTDyTFtjzDyTFtj:HtntWtatYtYt

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
576	tmp7102553.exe
2000	tmp7104020.exe
864	tmp7106063.exe
1604	tmp7106313.exe
1560	tmp7108247.exe
1528	tmp7108684.exe
588	tmp7112132.exe
1584	tmp7113458.exe
692	tmp7113879.exe
604	tmp7114768.exe
1924	tmp7115314.exe
1696	tmp7115767.exe
1320	notpad.exe
824	tmp7119870.exe
832	tmp7120306.exe
1164	notpad.exe
900	tmp7121320.exe
1176	notpad.exe
1352	tmp7121757.exe
1708	tmp7122210.exe
1684	notpad.exe
1500	tmp7122631.exe
988	tmp7123333.exe
1548	notpad.exe
1792	tmp7124456.exe
1704	tmp7124752.exe
1944	notpad.exe
588	tmp7126406.exe
1284	tmp7126952.exe
692	notpad.exe
956	tmp7128309.exe
976	tmp7128980.exe
1960	notpad.exe
772	tmp7129651.exe
1756	tmp7129791.exe
1972	tmp7130696.exe
1476	notpad.exe
924	tmp7130992.exe
1328	tmp7132474.exe
564	notpad.exe
1552	tmp7134690.exe
1824	tmp7136577.exe
1640	notpad.exe
1492	tmp7137326.exe
788	tmp7138480.exe
1692	notpad.exe
2012	tmp7139026.exe
1748	notpad.exe
1504	tmp7139588.exe
1176	tmp7139838.exe
308	notpad.exe
1088	tmp7140633.exe
988	tmp7140820.exe
1744	tmp7141647.exe
1896	notpad.exe
524	tmp7141944.exe
584	notpad.exe
1296	tmp7143660.exe
1488	tmp7144720.exe
1944	notpad.exe
2004	tmp7146577.exe
1808	tmp7146889.exe
1508	tmp7148324.exe
1732	notpad.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1672-54-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000005c50-60.dat	upx
behavioral1/files/0x0007000000005c50-63.dat	upx
behavioral1/files/0x0007000000005c50-65.dat	upx
behavioral1/memory/1672-64-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0007000000005c50-61.dat	upx
behavioral1/memory/2000-71-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0008000000012301-72.dat	upx
behavioral1/files/0x0008000000012301-77.dat	upx
behavioral1/memory/2000-76-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0008000000012301-75.dat	upx
behavioral1/files/0x0008000000012301-73.dat	upx
behavioral1/memory/1604-83-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0008000000012353-85.dat	upx
behavioral1/files/0x0008000000012353-86.dat	upx
behavioral1/files/0x0008000000012353-88.dat	upx
behavioral1/files/0x0008000000012353-89.dat	upx
behavioral1/memory/1604-90-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1528-91-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0008000000012732-100.dat	upx
behavioral1/files/0x0008000000012732-101.dat	upx
behavioral1/files/0x0008000000012732-98.dat	upx
behavioral1/files/0x0008000000012732-97.dat	upx
behavioral1/memory/1528-102-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1584-103-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000126d3-109.dat	upx
behavioral1/files/0x00070000000132c1-111.dat	upx
behavioral1/files/0x00070000000132c1-113.dat	upx
behavioral1/files/0x00070000000132c1-115.dat	upx
behavioral1/memory/1584-114-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00070000000132c1-110.dat	upx
behavioral1/memory/864-121-0x0000000001D00000-0x0000000001D1F000-memory.dmp	upx
behavioral1/memory/604-122-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/604-127-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000126d3-132.dat	upx
behavioral1/files/0x00080000000126d3-131.dat	upx
behavioral1/files/0x00080000000126d3-129.dat	upx
behavioral1/files/0x000700000001268a-139.dat	upx
behavioral1/memory/1320-145-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000126d3-146.dat	upx
behavioral1/files/0x00080000000126d3-149.dat	upx
behavioral1/memory/1164-151-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000126d3-147.dat	upx
behavioral1/files/0x000700000001268a-157.dat	upx
behavioral1/files/0x00080000000126d3-160.dat	upx
behavioral1/memory/1164-163-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1176-167-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1176-170-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1684-177-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1548-176-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1684-179-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1548-184-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1944-187-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1944-192-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/692-197-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1960-199-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1960-204-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1476-206-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1476-211-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/564-213-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/564-218-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1640-222-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1640-225-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1692-232-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
1672	dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a.exe
1672	dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a.exe
1672	dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a.exe
1672	dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a.exe
2000	tmp7104020.exe
2000	tmp7104020.exe
2000	tmp7104020.exe
2000	tmp7104020.exe
1604	tmp7106313.exe
1604	tmp7106313.exe
1604	tmp7106313.exe
1604	tmp7106313.exe
1528	tmp7108684.exe
1528	tmp7108684.exe
1528	tmp7108684.exe
1528	tmp7108684.exe
1584	tmp7113458.exe
1584	tmp7113458.exe
864	tmp7106063.exe
1584	tmp7113458.exe
1584	tmp7113458.exe
604	tmp7114768.exe
604	tmp7114768.exe
604	tmp7114768.exe
604	tmp7114768.exe
864	tmp7106063.exe
1320	notpad.exe
1320	notpad.exe
1320	notpad.exe
824	tmp7119870.exe
824	tmp7119870.exe
1164	notpad.exe
1164	notpad.exe
900	tmp7121320.exe
900	tmp7121320.exe
1164	notpad.exe
1212	WerFault.exe
1212	WerFault.exe
1176	notpad.exe
1176	notpad.exe
1708	tmp7122210.exe
1708	tmp7122210.exe
1176	notpad.exe
1684	notpad.exe
1684	notpad.exe
988	tmp7123333.exe
988	tmp7123333.exe
1684	notpad.exe
1548	notpad.exe
1548	notpad.exe
1704	tmp7124752.exe
1704	tmp7124752.exe
1548	notpad.exe
1944	notpad.exe
1944	notpad.exe
1284	tmp7126952.exe
1284	tmp7126952.exe
1944	notpad.exe
692	notpad.exe
692	notpad.exe
976	tmp7128980.exe
976	tmp7128980.exe
692	notpad.exe
1960	notpad.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notpad.exe	tmp7178230.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7183424.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7208182.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7139026.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7150867.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7157232.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7176857.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7232533.exe
File created	C:\Windows\SysWOW64\fsb.tmp	tmp7106063.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7124752.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7150867.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7186856.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7183861.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7205654.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7212955.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7139026.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7154892.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7175281.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7180148.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7152911.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7190117.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7200631.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7162505.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7165281.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7180351.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7228509.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7243001.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7182223.exe
File created	C:\Windows\SysWOW64\notpad.exe-	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7198057.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7185484.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7166670.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7233922.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7237354.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7141944.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7164361.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7226683.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7240068.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7126952.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7159775.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7237401.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7173003.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7220755.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7223158.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7166670.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7168167.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7205654.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7232533.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7139838.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7176857.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7191412.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7211442.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7195202.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7223158.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7123333.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7128980.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7175359.exe
File created	C:\Windows\SysWOW64\notpad.exe	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7175577.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7180148.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7182020.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7183861.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7106063.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7139838.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1212	1696	WerFault.exe	39

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7220880.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7148543.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7157029.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7184095.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7188167.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7205654.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7121320.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7150867.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7163862.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7183861.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7190117.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7232533.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7233922.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7106063.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7123333.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7159775.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7176857.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7182020.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7195202.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7234983.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7130992.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7163565.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7164361.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7165313.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7178230.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7217698.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7237401.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7119870.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7129791.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7139026.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7151725.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7161491.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7216918.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7235856.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7156077.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7180351.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7183424.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7204344.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7216278.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7228509.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7134690.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7173003.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7184314.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7209336.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7211442.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7212955.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7223158.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7225045.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7139838.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7140820.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7146889.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7172785.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7175359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7226683.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7243001.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7241207.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7128980.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7180148.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7182223.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7207792.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7240068.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7175281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7224234.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 576	1672	dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a.exe	27
PID 1672 wrote to memory of 576	1672	dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a.exe	27
PID 1672 wrote to memory of 576	1672	dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a.exe	27
PID 1672 wrote to memory of 576	1672	dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a.exe	27
PID 1672 wrote to memory of 2000	1672	dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a.exe	28
PID 1672 wrote to memory of 2000	1672	dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a.exe	28
PID 1672 wrote to memory of 2000	1672	dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a.exe	28
PID 1672 wrote to memory of 2000	1672	dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a.exe	28
PID 2000 wrote to memory of 864	2000	tmp7104020.exe	29
PID 2000 wrote to memory of 864	2000	tmp7104020.exe	29
PID 2000 wrote to memory of 864	2000	tmp7104020.exe	29
PID 2000 wrote to memory of 864	2000	tmp7104020.exe	29
PID 2000 wrote to memory of 1604	2000	tmp7104020.exe	30
PID 2000 wrote to memory of 1604	2000	tmp7104020.exe	30
PID 2000 wrote to memory of 1604	2000	tmp7104020.exe	30
PID 2000 wrote to memory of 1604	2000	tmp7104020.exe	30
PID 1604 wrote to memory of 1560	1604	tmp7106313.exe	31
PID 1604 wrote to memory of 1560	1604	tmp7106313.exe	31
PID 1604 wrote to memory of 1560	1604	tmp7106313.exe	31
PID 1604 wrote to memory of 1560	1604	tmp7106313.exe	31
PID 1604 wrote to memory of 1528	1604	tmp7106313.exe	32
PID 1604 wrote to memory of 1528	1604	tmp7106313.exe	32
PID 1604 wrote to memory of 1528	1604	tmp7106313.exe	32
PID 1604 wrote to memory of 1528	1604	tmp7106313.exe	32
PID 1528 wrote to memory of 588	1528	tmp7108684.exe	33
PID 1528 wrote to memory of 588	1528	tmp7108684.exe	33
PID 1528 wrote to memory of 588	1528	tmp7108684.exe	33
PID 1528 wrote to memory of 588	1528	tmp7108684.exe	33
PID 1528 wrote to memory of 1584	1528	tmp7108684.exe	34
PID 1528 wrote to memory of 1584	1528	tmp7108684.exe	34
PID 1528 wrote to memory of 1584	1528	tmp7108684.exe	34
PID 1528 wrote to memory of 1584	1528	tmp7108684.exe	34
PID 1584 wrote to memory of 692	1584	tmp7113458.exe	35
PID 1584 wrote to memory of 692	1584	tmp7113458.exe	35
PID 1584 wrote to memory of 692	1584	tmp7113458.exe	35
PID 1584 wrote to memory of 692	1584	tmp7113458.exe	35
PID 1584 wrote to memory of 604	1584	tmp7113458.exe	37
PID 1584 wrote to memory of 604	1584	tmp7113458.exe	37
PID 1584 wrote to memory of 604	1584	tmp7113458.exe	37
PID 1584 wrote to memory of 604	1584	tmp7113458.exe	37
PID 604 wrote to memory of 1924	604	tmp7114768.exe	38
PID 604 wrote to memory of 1924	604	tmp7114768.exe	38
PID 604 wrote to memory of 1924	604	tmp7114768.exe	38
PID 604 wrote to memory of 1924	604	tmp7114768.exe	38
PID 604 wrote to memory of 1696	604	tmp7114768.exe	39
PID 604 wrote to memory of 1696	604	tmp7114768.exe	39
PID 604 wrote to memory of 1696	604	tmp7114768.exe	39
PID 604 wrote to memory of 1696	604	tmp7114768.exe	39
PID 864 wrote to memory of 1320	864	tmp7106063.exe	36
PID 864 wrote to memory of 1320	864	tmp7106063.exe	36
PID 864 wrote to memory of 1320	864	tmp7106063.exe	36
PID 864 wrote to memory of 1320	864	tmp7106063.exe	36
PID 1696 wrote to memory of 1212	1696	tmp7115767.exe	40
PID 1696 wrote to memory of 1212	1696	tmp7115767.exe	40
PID 1696 wrote to memory of 1212	1696	tmp7115767.exe	40
PID 1696 wrote to memory of 1212	1696	tmp7115767.exe	40
PID 1320 wrote to memory of 824	1320	notpad.exe	41
PID 1320 wrote to memory of 824	1320	notpad.exe	41
PID 1320 wrote to memory of 824	1320	notpad.exe	41
PID 1320 wrote to memory of 824	1320	notpad.exe	41
PID 1320 wrote to memory of 832	1320	notpad.exe	42
PID 1320 wrote to memory of 832	1320	notpad.exe	42
PID 1320 wrote to memory of 832	1320	notpad.exe	42
PID 1320 wrote to memory of 832	1320	notpad.exe	42

C:\Users\Admin\AppData\Local\Temp\dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a.exe
"C:\Users\Admin\AppData\Local\Temp\dd4e3afb2a2ea6800301fc6bc55869685221d81045aa697f9c89d29e60f5580a.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Users\Admin\AppData\Local\Temp\tmp7102553.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7102553.exe
  2⤵
  - Executes dropped EXE
  PID:576
- C:\Users\Admin\AppData\Local\Temp\tmp7104020.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7104020.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2000
- - C:\Users\Admin\AppData\Local\Temp\tmp7106063.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7106063.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1320
    - - C:\Users\Admin\AppData\Local\Temp\tmp7119870.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7119870.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:824
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121320.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121320.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:900
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122210.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122210.exe
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1708
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123333.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7123333.exe
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124752.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124752.exe
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1704
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126952.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126952.exe
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1284
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128980.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128980.exe
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:976
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129791.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129791.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130992.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130992.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        Executes dropped EXE
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134690.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7134690.exe
        23⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137326.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7137326.exe
        25⤵
        Executes dropped EXE
        
        PID:1492
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        Executes dropped EXE
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139026.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139026.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        Executes dropped EXE
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139838.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139838.exe
        29⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        Executes dropped EXE
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140820.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140820.exe
        31⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:988
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        Executes dropped EXE
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141944.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141944.exe
        33⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:524
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        Executes dropped EXE
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144720.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144720.exe
        35⤵
        Executes dropped EXE
        
        PID:1488
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        Executes dropped EXE
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146889.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146889.exe
        37⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        38⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148543.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148543.exe
        39⤵
        Modifies registry class
        
        PID:536
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        40⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150867.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7150867.exe
        41⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151725.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151725.exe
        43⤵
        Modifies registry class
        
        PID:1224
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        44⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152911.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152911.exe
        45⤵
        Drops file in System32 directory
        
        PID:928
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        46⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153503.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153503.exe
        47⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        48⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154892.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154892.exe
        49⤵
        Drops file in System32 directory
        
        PID:1168
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        50⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156077.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156077.exe
        51⤵
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        52⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157029.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157029.exe
        53⤵
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157700.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157700.exe
        55⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157762.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157762.exe
        55⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158355.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158355.exe
        56⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159494.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159494.exe
        56⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157450.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157450.exe
        53⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157856.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157856.exe
        54⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159572.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159572.exe
        54⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156467.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156467.exe
        51⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157232.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157232.exe
        52⤵
        Drops file in System32 directory
        
        PID:1684
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        53⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158168.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158168.exe
        54⤵
        
        PID:800
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        55⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159775.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159775.exe
        56⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1808
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        57⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162505.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162505.exe
        58⤵
        Drops file in System32 directory
        
        PID:1076
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        59⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163222.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163222.exe
        60⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163690.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163690.exe
        60⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164657.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164657.exe
        61⤵
        
        PID:576
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        62⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165297.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165297.exe
        63⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        64⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166670.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166670.exe
        65⤵
        Drops file in System32 directory
        
        PID:1548
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        66⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168277.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168277.exe
        67⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172083.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172083.exe
        67⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173003.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173003.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        69⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175359.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        71⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175577.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175577.exe
        72⤵
        Drops file in System32 directory
        
        PID:1104
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        73⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176857.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176857.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        75⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177793.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177793.exe
        76⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        77⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179883.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179883.exe
        78⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181974.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181974.exe
        78⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183206.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183206.exe
        79⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182925.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182925.exe
        79⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179556.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179556.exe
        76⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180367.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180367.exe
        77⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182067.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182067.exe
        77⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177652.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177652.exe
        74⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178230.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178230.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        76⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180148.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180148.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        78⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180507.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180507.exe
        79⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182114.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182114.exe
        79⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182566.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182566.exe
        80⤵
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183144.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183144.exe
        80⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180336.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180336.exe
        77⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182020.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182020.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1372
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        79⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182644.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182644.exe
        80⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183081.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183081.exe
        80⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183861.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183861.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1328
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        82⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184314.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184314.exe
        83⤵
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        84⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185125.exe
        85⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185374.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185374.exe
        85⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185998.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185998.exe
        86⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186482.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186482.exe
        86⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184938.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184938.exe
        83⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185484.exe
        84⤵
        Drops file in System32 directory
        
        PID:988
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        85⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198744.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198744.exe
        86⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199368.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199368.exe
        86⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200959.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200959.exe
        87⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201770.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201770.exe
        87⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186654.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186654.exe
        84⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184111.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184111.exe
        81⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182301.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182301.exe
        78⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179930.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179930.exe
        75⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176623.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176623.exe
        72⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177122.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177122.exe
        73⤵
        
        PID:824
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        74⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177559.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177559.exe
        75⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179790.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7179790.exe
        75⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180351.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7180351.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        77⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182223.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182223.exe
        78⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:760
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        79⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183424.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183424.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1944
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        81⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184095.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184095.exe
        82⤵
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        83⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184750.exe
        84⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185203.exe
        84⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186186.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186186.exe
        85⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186420.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186420.exe
        85⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184548.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184548.exe
        82⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184969.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184969.exe
        83⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185218.exe
        83⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183939.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183939.exe
        80⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184610.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184610.exe
        81⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        82⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186326.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186326.exe
        83⤵
        
        PID:912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        84⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186872.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186872.exe
        85⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187231.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187231.exe
        85⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188588.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188588.exe
        86⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189181.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189181.exe
        86⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186435.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186435.exe
        83⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186856.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186856.exe
        84⤵
        Drops file in System32 directory
        
        PID:976
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        85⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188167.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188167.exe
        86⤵
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        87⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190117.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190117.exe
        88⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        89⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191848.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191848.exe
        90⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        91⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195655.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195655.exe
        92⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196326.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196326.exe
        92⤵
        
        PID:272
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198728.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198728.exe
        93⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198010.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198010.exe
        93⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193190.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193190.exe
        90⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195124.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195124.exe
        91⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196092.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7196092.exe
        91⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190725.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190725.exe
        88⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191412.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191412.exe
        89⤵
        Drops file in System32 directory
        
        PID:564
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        90⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193065.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7193065.exe
        91⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194485.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194485.exe
        91⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195202.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195202.exe
        92⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1332
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        93⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198057.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198057.exe
        94⤵
        Drops file in System32 directory
        
        PID:912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        95⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200631.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200631.exe
        96⤵
        Drops file in System32 directory
        
        PID:1456
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        97⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202784.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7202784.exe
        98⤵
        
        PID:1088
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        99⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205654.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7205654.exe
        100⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        101⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208182.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208182.exe
        102⤵
        Drops file in System32 directory
        
        PID:1244
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        103⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210085.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210085.exe
        104⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210678.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210678.exe
        104⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212113.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212113.exe
        105⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212877.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212877.exe
        105⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209196.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209196.exe
        102⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209789.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209789.exe
        103⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210413.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210413.exe
        103⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206949.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206949.exe
        100⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207792.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207792.exe
        101⤵
        Modifies registry class
        
        PID:576
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        102⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209336.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7209336.exe
        103⤵
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        104⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211442.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211442.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        106⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213283.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213283.exe
        107⤵
        
        PID:904
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214796.exe
        107⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215467.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215467.exe
        108⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216013.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216013.exe
        108⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212487.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212487.exe
        105⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212955.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212955.exe
        106⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1164
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        107⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214921.exe
        108⤵
        
        PID:1168
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        109⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216278.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216278.exe
        110⤵
        Modifies registry class
        
        PID:1000
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        111⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217698.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217698.exe
        112⤵
        Modifies registry class
        
        PID:572
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        113⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220085.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220085.exe
        114⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223891.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223891.exe
        114⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225264.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225264.exe
        115⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225888.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225888.exe
        115⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219585.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219585.exe
        112⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220755.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220755.exe
        113⤵
        Drops file in System32 directory
        
        PID:1752
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        114⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223158.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223158.exe
        115⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        116⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224281.exe
        117⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225435.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225435.exe
        117⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226683.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226683.exe
        118⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        119⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228509.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228509.exe
        120⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1088
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        121⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232533.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232533.exe
        122⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        123⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233438.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233438.exe
        124⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233641.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233641.exe
        124⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234983.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234983.exe
        125⤵
        Modifies registry class
        
        PID:1080
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        126⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235856.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235856.exe
        127⤵
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        128⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236355.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236355.exe
        129⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238212.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238212.exe
        129⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239241.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239241.exe
        130⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240490.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240490.exe
        130⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244780.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244780.exe
        131⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235950.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235950.exe
        127⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236496.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236496.exe
        128⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        129⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238727.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238727.exe
        130⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239741.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239741.exe
        130⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244202.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244202.exe
        131⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244764.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244764.exe
        131⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236777.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236777.exe
        128⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237354.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237354.exe
        129⤵
        Drops file in System32 directory
        
        PID:1368
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        130⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239413.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239413.exe
        131⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239507.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239507.exe
        131⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7243001.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7243001.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        133⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7246199.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7246199.exe
        134⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7243656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7243656.exe
        132⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247151.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247151.exe
        133⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244826.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244826.exe
        133⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238337.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238337.exe
        129⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235716.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235716.exe
        125⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236433.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236433.exe
        126⤵
        
        PID:668
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236823.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236823.exe
        126⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233095.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233095.exe
        122⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233579.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233579.exe
        123⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233766.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233766.exe
        123⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234515.exe
        124⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235326.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235326.exe
        124⤵
        
        PID:472
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231987.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231987.exe
        120⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233313.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233313.exe
        121⤵
        
        PID:1616
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        122⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233922.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233922.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1176
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        124⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235435.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235435.exe
        125⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        126⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236730.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236730.exe
        127⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239023.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239023.exe
        127⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240068.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240068.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:588
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        129⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244655.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244655.exe
        130⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247135.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247135.exe
        130⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7241254.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7241254.exe
        128⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244343.exe
        129⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236543.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236543.exe
        125⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237401.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7237401.exe
        126⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1740
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        127⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7241207.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7241207.exe
        128⤵
        Modifies registry class
        
        PID:1072
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        129⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7243048.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7243048.exe
        128⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244873.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7244873.exe
        129⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247166.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247166.exe
        129⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp7252814.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7252814.exe
        130⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239288.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7239288.exe
        126⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240880.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240880.exe
        127⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7242767.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7242767.exe
        127⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234686.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234686.exe
        123⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236277.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236277.exe
        124⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236558.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7236558.exe
        124⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238976.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7238976.exe
        125⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240115.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7240115.exe
        125⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233547.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233547.exe
        121⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234515.exe
        122⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235263.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235263.exe
        122⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227573.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227573.exe
        118⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223844.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223844.exe
        115⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224515.exe
        116⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225357.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225357.exe
        116⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222986.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222986.exe
        113⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217542.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217542.exe
        110⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222861.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222861.exe
        111⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223376.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223376.exe
        111⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215826.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215826.exe
        108⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216918.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216918.exe
        109⤵
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        110⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220880.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220880.exe
        111⤵
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        112⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223454.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223454.exe
        113⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224063.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224063.exe
        113⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225045.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225045.exe
        114⤵
        Modifies registry class
        
        PID:1968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        115⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225451.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225451.exe
        114⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223251.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7223251.exe
        111⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224234.exe
        112⤵
        Modifies registry class
        
        PID:1584
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        113⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225404.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225404.exe
        114⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225935.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225935.exe
        114⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227339.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227339.exe
        115⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228119.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228119.exe
        115⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225139.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225139.exe
        112⤵
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220740.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220740.exe
        109⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214250.exe
        106⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210257.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7210257.exe
        103⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211739.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7211739.exe
        104⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212628.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212628.exe
        104⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208868.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7208868.exe
        101⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204344.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204344.exe
        98⤵
        Modifies registry class
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206122.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206122.exe
        99⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207292.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7207292.exe
        99⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201271.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201271.exe
        96⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203299.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7203299.exe
        97⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7204921.exe
        97⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198634.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7198634.exe
        94⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199586.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7199586.exe
        95⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201754.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7201754.exe
        95⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195561.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195561.exe
        92⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192223.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192223.exe
        89⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188822.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188822.exe
        86⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189633.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189633.exe
        87⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        88⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191490.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191490.exe
        89⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192410.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192410.exe
        89⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194656.exe
        90⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195920.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7195920.exe
        90⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190444.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190444.exe
        87⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187184.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187184.exe
        84⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185156.exe
        81⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183066.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183066.exe
        78⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183814.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183814.exe
        79⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184002.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184002.exe
        79⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181552.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7181552.exe
        76⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177340.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177340.exe
        73⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175375.exe
        70⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175921.exe
        71⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176701.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176701.exe
        71⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174735.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174735.exe
        68⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167247.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167247.exe
        65⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168214.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168214.exe
        66⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171038.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171038.exe
        66⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166186.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166186.exe
        63⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168167.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168167.exe
        64⤵
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        65⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170149.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170149.exe
        66⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172161.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172161.exe
        66⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173050.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173050.exe
        67⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174922.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174922.exe
        67⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169790.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169790.exe
        64⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165125.exe
        61⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163019.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163019.exe
        58⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163565.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163565.exe
        59⤵
        Modifies registry class
        
        PID:1824
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        60⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164002.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164002.exe
        61⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164891.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164891.exe
        61⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165313.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165313.exe
        62⤵
        Modifies registry class
        
        PID:692
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        63⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166826.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166826.exe
        64⤵
        
        PID:472
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167481.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167481.exe
        64⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169899.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7169899.exe
        65⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172301.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172301.exe
        65⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166623.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166623.exe
        62⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163831.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163831.exe
        59⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161506.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161506.exe
        56⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162973.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162973.exe
        57⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163768.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163768.exe
        57⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159431.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159431.exe
        54⤵
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161491.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161491.exe
        55⤵
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        56⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163862.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163862.exe
        57⤵
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164361.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164361.exe
        59⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        60⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165094.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165094.exe
        61⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166108.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166108.exe
        61⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168199.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7168199.exe
        62⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        63⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172785.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7172785.exe
        64⤵
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        65⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173924.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173924.exe
        66⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174907.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174907.exe
        66⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175281.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        68⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175687.exe
        69⤵
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176607.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176607.exe
        69⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176763.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7176763.exe
        70⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177356.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177356.exe
        70⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175484.exe
        67⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173737.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173737.exe
        64⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174985.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7174985.exe
        65⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175297.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7175297.exe
        65⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170913.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7170913.exe
        62⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164845.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164845.exe
        59⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165281.exe
        60⤵
        Drops file in System32 directory
        
        PID:588
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        61⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7166015.exe
        62⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167497.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7167497.exe
        62⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171100.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7171100.exe
        63⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173643.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7173643.exe
        63⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165703.exe
        60⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164127.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164127.exe
        57⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164767.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164767.exe
        58⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165079.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7165079.exe
        58⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163316.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163316.exe
        55⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157684.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157684.exe
        52⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155485.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7155485.exe
        49⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154486.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7154486.exe
        47⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153285.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7153285.exe
        45⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152599.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7152599.exe
        43⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151366.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7151366.exe
        41⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149151.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7149151.exe
        39⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148324.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7148324.exe
        37⤵
        Executes dropped EXE
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146577.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146577.exe
        35⤵
        Executes dropped EXE
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143660.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143660.exe
        33⤵
        Executes dropped EXE
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141647.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7141647.exe
        31⤵
        Executes dropped EXE
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140633.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7140633.exe
        29⤵
        Executes dropped EXE
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139588.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7139588.exe
        27⤵
        Executes dropped EXE
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138480.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7138480.exe
        25⤵
        Executes dropped EXE
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136577.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7136577.exe
        23⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132474.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7132474.exe
        21⤵
        Executes dropped EXE
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130696.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7130696.exe
        19⤵
        Executes dropped EXE
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129651.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7129651.exe
        17⤵
        Executes dropped EXE
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128309.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7128309.exe
        15⤵
        Executes dropped EXE
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7126406.exe
        13⤵
        Executes dropped EXE
        
        PID:588
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124456.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7124456.exe
        11⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122631.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7122631.exe
        9⤵
        Executes dropped EXE
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121757.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121757.exe
        7⤵
        Executes dropped EXE
        
        PID:1352
    - - C:\Users\Admin\AppData\Local\Temp\tmp7120306.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7120306.exe
        5⤵
        Executes dropped EXE
        
        PID:832
- - C:\Users\Admin\AppData\Local\Temp\tmp7106313.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7106313.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\tmp7108247.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7108247.exe
      4⤵
      Executes dropped EXE
      PID:1560
  - - C:\Users\Admin\AppData\Local\Temp\tmp7108684.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7108684.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1528
    - - C:\Users\Admin\AppData\Local\Temp\tmp7112132.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7112132.exe
        5⤵
        Executes dropped EXE
        
        PID:588
    - - C:\Users\Admin\AppData\Local\Temp\tmp7113458.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113458.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1584
      - C:\Users\Admin\AppData\Local\Temp\tmp7113879.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7113879.exe
        6⤵
        Executes dropped EXE
        
        PID:692
      - C:\Users\Admin\AppData\Local\Temp\tmp7114768.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7114768.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115314.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115314.exe
        7⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115767.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7115767.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1696 -s 36
        8⤵
        Loads dropped DLL
        Program crash
        
        PID:1212

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7102553.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7104020.exe

Filesize
8.0MB

MD5
2d3a57d39e1ed30b61a7c024ca4ac2d2

SHA1
e5e38dddb239f0af623084ff3fe064a96232f994

SHA256
a8f5d12ec861fe257c8130745f005fdf1fea77c2f75d65fb2522d04859c688a7

SHA512
29bfd27345714d1faf7c0fb6b785690c4e3a44e1220ffe14c1dd5aeffb95aad50cf2cad1d71b064de0d72c340599974c97fb77d2b23a1cc0832e49ff610fce19

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7104020.exe

Filesize
8.0MB

MD5
2d3a57d39e1ed30b61a7c024ca4ac2d2

SHA1
e5e38dddb239f0af623084ff3fe064a96232f994

SHA256
a8f5d12ec861fe257c8130745f005fdf1fea77c2f75d65fb2522d04859c688a7

SHA512
29bfd27345714d1faf7c0fb6b785690c4e3a44e1220ffe14c1dd5aeffb95aad50cf2cad1d71b064de0d72c340599974c97fb77d2b23a1cc0832e49ff610fce19

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7106063.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7106063.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7106313.exe

Filesize
6.5MB

MD5
1fa4bd6730015f567004d1b168a5b440

SHA1
e3df9b3cee17585e149a1a2a454ca18c43ff466d

SHA256
fbbbb3983f1f0be065d263a78cf3b04618aa0b6f9d3c5e21f51ff1f5da05d695

SHA512
c4ac3634bded96abed09d438f190a79d57402d3ee7a997ddb32561672a2724a429730e18659e07e75666c00b1329e98a0744ccf1cf11ce34e53aba3682bfe7b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7106313.exe

Filesize
6.5MB

MD5
1fa4bd6730015f567004d1b168a5b440

SHA1
e3df9b3cee17585e149a1a2a454ca18c43ff466d

SHA256
fbbbb3983f1f0be065d263a78cf3b04618aa0b6f9d3c5e21f51ff1f5da05d695

SHA512
c4ac3634bded96abed09d438f190a79d57402d3ee7a997ddb32561672a2724a429730e18659e07e75666c00b1329e98a0744ccf1cf11ce34e53aba3682bfe7b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7108247.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7108684.exe

Filesize
4.9MB

MD5
743013fdff72ef37b5569dc367078c22

SHA1
84fb9108042b0eab231a46595d25a16f066d84c8

SHA256
48acd80ba16c375aa3793cd22c290998cf9edac89dfb6da0ff232dead6c34f7c

SHA512
116aa345ae7e2da765777b382a9f9f195d26af5ee4790c07f755ede21b1a4e9fa507e314f3fabff2c7abeec828e5e231544b85771a2a99dbba9bdf76ea6dbac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7108684.exe

Filesize
4.9MB

MD5
743013fdff72ef37b5569dc367078c22

SHA1
84fb9108042b0eab231a46595d25a16f066d84c8

SHA256
48acd80ba16c375aa3793cd22c290998cf9edac89dfb6da0ff232dead6c34f7c

SHA512
116aa345ae7e2da765777b382a9f9f195d26af5ee4790c07f755ede21b1a4e9fa507e314f3fabff2c7abeec828e5e231544b85771a2a99dbba9bdf76ea6dbac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7112132.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7113458.exe

Filesize
3.3MB

MD5
41506a5b7c72d5d724bd4b9dd53c99ed

SHA1
3a0e74e61a34a39121bfc1881b91ed50c031a9f3

SHA256
ff2736806079e720c92579ba7f8f388b15ab2b937d4f5d00296bfdcb9b614cf1

SHA512
d2cc2a85926315356f14de965b63762d81a6433839a51a8a5cd2ff98f2bd06fdb873fa55056b5a56a6b0da8d73694591209e9d17549277f01129bfbdc2dab356

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7113458.exe

Filesize
3.3MB

MD5
41506a5b7c72d5d724bd4b9dd53c99ed

SHA1
3a0e74e61a34a39121bfc1881b91ed50c031a9f3

SHA256
ff2736806079e720c92579ba7f8f388b15ab2b937d4f5d00296bfdcb9b614cf1

SHA512
d2cc2a85926315356f14de965b63762d81a6433839a51a8a5cd2ff98f2bd06fdb873fa55056b5a56a6b0da8d73694591209e9d17549277f01129bfbdc2dab356

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7113879.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7114768.exe

Filesize
1.7MB

MD5
639552812a711ab9e72fdea3d155e7e7

SHA1
a9d8868e999cb5890f37741d3657d26453b3d6b3

SHA256
f42ae0499bd0fa532448105ed5130286cdb26215d729d45da421e47bde656485

SHA512
ad3b36687cb1c686d97d3bf9fe209fdbb0d17d9fbfead703746c7cbc20e347f500eab306d997632f05067bc4000fc2c7c8765937997f05934472615b7160d3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7114768.exe

Filesize
1.7MB

MD5
639552812a711ab9e72fdea3d155e7e7

SHA1
a9d8868e999cb5890f37741d3657d26453b3d6b3

SHA256
f42ae0499bd0fa532448105ed5130286cdb26215d729d45da421e47bde656485

SHA512
ad3b36687cb1c686d97d3bf9fe209fdbb0d17d9fbfead703746c7cbc20e347f500eab306d997632f05067bc4000fc2c7c8765937997f05934472615b7160d3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7115314.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7115767.exe

Filesize
136KB

MD5
1d68240da3810b695cf9abb8d104c35d

SHA1
4a7b85bc8d64d792a573268c9bfd561c790ee963

SHA256
941992f358a72746ee378afb79a77a320ccb1ef83e31ae34ad923d191a7964b8

SHA512
bbc913b8749cc6593ab50423246578638428177ef248fe93650bf8d82605f4f181d8a2369aa44f1c31d47493be59e1d7d1c78f6cd6562f5f36e83b9348de1b55

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7119870.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7119870.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7120306.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7121320.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7121320.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.8MB

MD5
1b162005f656ca78f2b3c733ed76c892

SHA1
40a4c996eb7f0604eb408584d86e0285a87ac0a3

SHA256
1be3fb0b767a291137a95f1ac794450ac55352276125a683f77e301697cbf6ab

SHA512
5c77269da4fd4b29776b49a66f8f2ed9b207d95e40cf0816897b46b50a48bfb4a2f3e313da5f1b0a49c68f4b09854a69a555446ebc3627fa3563996af6f8ff2a

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.8MB

MD5
1b162005f656ca78f2b3c733ed76c892

SHA1
40a4c996eb7f0604eb408584d86e0285a87ac0a3

SHA256
1be3fb0b767a291137a95f1ac794450ac55352276125a683f77e301697cbf6ab

SHA512
5c77269da4fd4b29776b49a66f8f2ed9b207d95e40cf0816897b46b50a48bfb4a2f3e313da5f1b0a49c68f4b09854a69a555446ebc3627fa3563996af6f8ff2a

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.8MB

MD5
1b162005f656ca78f2b3c733ed76c892

SHA1
40a4c996eb7f0604eb408584d86e0285a87ac0a3

SHA256
1be3fb0b767a291137a95f1ac794450ac55352276125a683f77e301697cbf6ab

SHA512
5c77269da4fd4b29776b49a66f8f2ed9b207d95e40cf0816897b46b50a48bfb4a2f3e313da5f1b0a49c68f4b09854a69a555446ebc3627fa3563996af6f8ff2a

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7102553.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7102553.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7104020.exe

Filesize
8.0MB

MD5
2d3a57d39e1ed30b61a7c024ca4ac2d2

SHA1
e5e38dddb239f0af623084ff3fe064a96232f994

SHA256
a8f5d12ec861fe257c8130745f005fdf1fea77c2f75d65fb2522d04859c688a7

SHA512
29bfd27345714d1faf7c0fb6b785690c4e3a44e1220ffe14c1dd5aeffb95aad50cf2cad1d71b064de0d72c340599974c97fb77d2b23a1cc0832e49ff610fce19

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7104020.exe

Filesize
8.0MB

MD5
2d3a57d39e1ed30b61a7c024ca4ac2d2

SHA1
e5e38dddb239f0af623084ff3fe064a96232f994

SHA256
a8f5d12ec861fe257c8130745f005fdf1fea77c2f75d65fb2522d04859c688a7

SHA512
29bfd27345714d1faf7c0fb6b785690c4e3a44e1220ffe14c1dd5aeffb95aad50cf2cad1d71b064de0d72c340599974c97fb77d2b23a1cc0832e49ff610fce19

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7106063.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7106063.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7106313.exe

Filesize
6.5MB

MD5
1fa4bd6730015f567004d1b168a5b440

SHA1
e3df9b3cee17585e149a1a2a454ca18c43ff466d

SHA256
fbbbb3983f1f0be065d263a78cf3b04618aa0b6f9d3c5e21f51ff1f5da05d695

SHA512
c4ac3634bded96abed09d438f190a79d57402d3ee7a997ddb32561672a2724a429730e18659e07e75666c00b1329e98a0744ccf1cf11ce34e53aba3682bfe7b1

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7106313.exe

Filesize
6.5MB

MD5
1fa4bd6730015f567004d1b168a5b440

SHA1
e3df9b3cee17585e149a1a2a454ca18c43ff466d

SHA256
fbbbb3983f1f0be065d263a78cf3b04618aa0b6f9d3c5e21f51ff1f5da05d695

SHA512
c4ac3634bded96abed09d438f190a79d57402d3ee7a997ddb32561672a2724a429730e18659e07e75666c00b1329e98a0744ccf1cf11ce34e53aba3682bfe7b1

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7108247.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7108247.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7108684.exe

Filesize
4.9MB

MD5
743013fdff72ef37b5569dc367078c22

SHA1
84fb9108042b0eab231a46595d25a16f066d84c8

SHA256
48acd80ba16c375aa3793cd22c290998cf9edac89dfb6da0ff232dead6c34f7c

SHA512
116aa345ae7e2da765777b382a9f9f195d26af5ee4790c07f755ede21b1a4e9fa507e314f3fabff2c7abeec828e5e231544b85771a2a99dbba9bdf76ea6dbac0

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7108684.exe

Filesize
4.9MB

MD5
743013fdff72ef37b5569dc367078c22

SHA1
84fb9108042b0eab231a46595d25a16f066d84c8

SHA256
48acd80ba16c375aa3793cd22c290998cf9edac89dfb6da0ff232dead6c34f7c

SHA512
116aa345ae7e2da765777b382a9f9f195d26af5ee4790c07f755ede21b1a4e9fa507e314f3fabff2c7abeec828e5e231544b85771a2a99dbba9bdf76ea6dbac0

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7112132.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7112132.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7113458.exe

Filesize
3.3MB

MD5
41506a5b7c72d5d724bd4b9dd53c99ed

SHA1
3a0e74e61a34a39121bfc1881b91ed50c031a9f3

SHA256
ff2736806079e720c92579ba7f8f388b15ab2b937d4f5d00296bfdcb9b614cf1

SHA512
d2cc2a85926315356f14de965b63762d81a6433839a51a8a5cd2ff98f2bd06fdb873fa55056b5a56a6b0da8d73694591209e9d17549277f01129bfbdc2dab356

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7113458.exe

Filesize
3.3MB

MD5
41506a5b7c72d5d724bd4b9dd53c99ed

SHA1
3a0e74e61a34a39121bfc1881b91ed50c031a9f3

SHA256
ff2736806079e720c92579ba7f8f388b15ab2b937d4f5d00296bfdcb9b614cf1

SHA512
d2cc2a85926315356f14de965b63762d81a6433839a51a8a5cd2ff98f2bd06fdb873fa55056b5a56a6b0da8d73694591209e9d17549277f01129bfbdc2dab356

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7113879.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7113879.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7114768.exe

Filesize
1.7MB

MD5
639552812a711ab9e72fdea3d155e7e7

SHA1
a9d8868e999cb5890f37741d3657d26453b3d6b3

SHA256
f42ae0499bd0fa532448105ed5130286cdb26215d729d45da421e47bde656485

SHA512
ad3b36687cb1c686d97d3bf9fe209fdbb0d17d9fbfead703746c7cbc20e347f500eab306d997632f05067bc4000fc2c7c8765937997f05934472615b7160d3d1

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7114768.exe

Filesize
1.7MB

MD5
639552812a711ab9e72fdea3d155e7e7

SHA1
a9d8868e999cb5890f37741d3657d26453b3d6b3

SHA256
f42ae0499bd0fa532448105ed5130286cdb26215d729d45da421e47bde656485

SHA512
ad3b36687cb1c686d97d3bf9fe209fdbb0d17d9fbfead703746c7cbc20e347f500eab306d997632f05067bc4000fc2c7c8765937997f05934472615b7160d3d1

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7115314.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7115314.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7115767.exe

Filesize
136KB

MD5
1d68240da3810b695cf9abb8d104c35d

SHA1
4a7b85bc8d64d792a573268c9bfd561c790ee963

SHA256
941992f358a72746ee378afb79a77a320ccb1ef83e31ae34ad923d191a7964b8

SHA512
bbc913b8749cc6593ab50423246578638428177ef248fe93650bf8d82605f4f181d8a2369aa44f1c31d47493be59e1d7d1c78f6cd6562f5f36e83b9348de1b55

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7115767.exe

Filesize
136KB

MD5
1d68240da3810b695cf9abb8d104c35d

SHA1
4a7b85bc8d64d792a573268c9bfd561c790ee963

SHA256
941992f358a72746ee378afb79a77a320ccb1ef83e31ae34ad923d191a7964b8

SHA512
bbc913b8749cc6593ab50423246578638428177ef248fe93650bf8d82605f4f181d8a2369aa44f1c31d47493be59e1d7d1c78f6cd6562f5f36e83b9348de1b55

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7119870.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7119870.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7120306.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7121320.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7121320.exe

Filesize
1.6MB

MD5
478d5172be363f92d87f69264d93c732

SHA1
6fa546afe58ff2dd7ab75a85614d7911b423e2f0

SHA256
fb6954874dd91edafcc232a5543ee5034ee961f724a867509823d978e80be21d

SHA512
89777acff077e3054bd6dfbeaafc2b63fdc91c4914f8271990d91e65d5112ef510cc578f347787813165f2fe3bd1df750eedc1e65abdb79fc396aa5a636f87af

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
1.8MB

MD5
1b162005f656ca78f2b3c733ed76c892

SHA1
40a4c996eb7f0604eb408584d86e0285a87ac0a3

SHA256
1be3fb0b767a291137a95f1ac794450ac55352276125a683f77e301697cbf6ab

SHA512
5c77269da4fd4b29776b49a66f8f2ed9b207d95e40cf0816897b46b50a48bfb4a2f3e313da5f1b0a49c68f4b09854a69a555446ebc3627fa3563996af6f8ff2a

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
1.8MB

MD5
1b162005f656ca78f2b3c733ed76c892

SHA1
40a4c996eb7f0604eb408584d86e0285a87ac0a3

SHA256
1be3fb0b767a291137a95f1ac794450ac55352276125a683f77e301697cbf6ab

SHA512
5c77269da4fd4b29776b49a66f8f2ed9b207d95e40cf0816897b46b50a48bfb4a2f3e313da5f1b0a49c68f4b09854a69a555446ebc3627fa3563996af6f8ff2a

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
1.8MB

MD5
1b162005f656ca78f2b3c733ed76c892

SHA1
40a4c996eb7f0604eb408584d86e0285a87ac0a3

SHA256
1be3fb0b767a291137a95f1ac794450ac55352276125a683f77e301697cbf6ab

SHA512
5c77269da4fd4b29776b49a66f8f2ed9b207d95e40cf0816897b46b50a48bfb4a2f3e313da5f1b0a49c68f4b09854a69a555446ebc3627fa3563996af6f8ff2a

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
1.8MB

MD5
1b162005f656ca78f2b3c733ed76c892

SHA1
40a4c996eb7f0604eb408584d86e0285a87ac0a3

SHA256
1be3fb0b767a291137a95f1ac794450ac55352276125a683f77e301697cbf6ab

SHA512
5c77269da4fd4b29776b49a66f8f2ed9b207d95e40cf0816897b46b50a48bfb4a2f3e313da5f1b0a49c68f4b09854a69a555446ebc3627fa3563996af6f8ff2a

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
1.8MB

MD5
1b162005f656ca78f2b3c733ed76c892

SHA1
40a4c996eb7f0604eb408584d86e0285a87ac0a3

SHA256
1be3fb0b767a291137a95f1ac794450ac55352276125a683f77e301697cbf6ab

SHA512
5c77269da4fd4b29776b49a66f8f2ed9b207d95e40cf0816897b46b50a48bfb4a2f3e313da5f1b0a49c68f4b09854a69a555446ebc3627fa3563996af6f8ff2a

Download Submit
memory/308-236-0x0000000000000000-mapping.dmp

Download
memory/308-243-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/524-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/524-248-0x0000000000000000-mapping.dmp

Download
memory/564-218-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/564-212-0x0000000000000000-mapping.dmp

Download
memory/564-213-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/576-59-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download
memory/576-57-0x0000000000000000-mapping.dmp

Download
memory/580-279-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/584-260-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/584-250-0x0000000000000000-mapping.dmp

Download
memory/584-252-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/588-94-0x0000000000000000-mapping.dmp

Download
memory/588-183-0x0000000000000000-mapping.dmp

Download
memory/604-127-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/604-112-0x0000000000000000-mapping.dmp

Download
memory/604-122-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/692-189-0x0000000000000000-mapping.dmp

Download
memory/692-106-0x0000000000000000-mapping.dmp

Download
memory/692-197-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/772-196-0x0000000000000000-mapping.dmp

Download
memory/788-223-0x0000000000000000-mapping.dmp

Download
memory/824-136-0x0000000000000000-mapping.dmp

Download
memory/832-143-0x0000000000000000-mapping.dmp

Download
memory/864-121-0x0000000001D00000-0x0000000001D1F000-memory.dmp

Filesize
124KB

Download
memory/864-68-0x0000000000000000-mapping.dmp

Download
memory/900-282-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/900-284-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/900-154-0x0000000000000000-mapping.dmp

Download
memory/924-207-0x0000000000000000-mapping.dmp

Download
memory/956-190-0x0000000000000000-mapping.dmp

Download
memory/976-193-0x0000000000000000-mapping.dmp

Download
memory/988-246-0x0000000001E50000-0x0000000001E5D000-memory.dmp

Filesize
52KB

Download
memory/988-240-0x0000000000000000-mapping.dmp

Download
memory/988-172-0x0000000000000000-mapping.dmp

Download
memory/1084-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1088-237-0x0000000000000000-mapping.dmp

Download
memory/1164-148-0x0000000000000000-mapping.dmp

Download
memory/1164-151-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1164-163-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1176-170-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1176-167-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1176-161-0x0000000000000000-mapping.dmp

Download
memory/1176-233-0x0000000000000000-mapping.dmp

Download
memory/1212-133-0x0000000000000000-mapping.dmp

Download
memory/1284-186-0x0000000000000000-mapping.dmp

Download
memory/1296-251-0x0000000000000000-mapping.dmp

Download
memory/1320-130-0x0000000000000000-mapping.dmp

Download
memory/1320-145-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1328-209-0x0000000000000000-mapping.dmp

Download
memory/1352-162-0x0000000000000000-mapping.dmp

Download
memory/1456-269-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1456-273-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1476-206-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1476-211-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1476-205-0x0000000000000000-mapping.dmp

Download
memory/1488-255-0x0000000000000000-mapping.dmp

Download
memory/1492-220-0x0000000000000000-mapping.dmp

Download
memory/1500-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1500-169-0x0000000000000000-mapping.dmp

Download
memory/1500-288-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1504-230-0x0000000000000000-mapping.dmp

Download
memory/1508-264-0x0000000000000000-mapping.dmp

Download
memory/1528-87-0x0000000000000000-mapping.dmp

Download
memory/1528-102-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1528-91-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1548-174-0x0000000000000000-mapping.dmp

Download
memory/1548-184-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1548-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1548-176-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1552-214-0x0000000000000000-mapping.dmp

Download
memory/1560-80-0x0000000000000000-mapping.dmp

Download
memory/1584-99-0x0000000000000000-mapping.dmp

Download
memory/1584-114-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1584-103-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1604-83-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1604-74-0x0000000000000000-mapping.dmp

Download
memory/1604-90-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1612-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1640-219-0x0000000000000000-mapping.dmp

Download
memory/1640-222-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1640-225-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1672-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1672-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1684-168-0x0000000000000000-mapping.dmp

Download
memory/1684-179-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1684-177-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1692-224-0x0000000000000000-mapping.dmp

Download
memory/1692-232-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1696-125-0x0000000000000000-mapping.dmp

Download
memory/1696-128-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/1704-180-0x0000000000000000-mapping.dmp

Download
memory/1708-165-0x0000000000000000-mapping.dmp

Download
memory/1728-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1732-270-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1732-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1740-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1744-242-0x0000000000000000-mapping.dmp

Download
memory/1748-229-0x0000000000000000-mapping.dmp

Download
memory/1748-234-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1748-238-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1756-200-0x0000000000000000-mapping.dmp

Download
memory/1760-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1792-175-0x0000000000000000-mapping.dmp

Download
memory/1800-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1808-262-0x0000000000000000-mapping.dmp

Download
memory/1824-216-0x0000000000000000-mapping.dmp

Download
memory/1884-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1884-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1896-247-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1896-253-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1896-245-0x0000000000000000-mapping.dmp

Download
memory/1924-118-0x0000000000000000-mapping.dmp

Download
memory/1944-182-0x0000000000000000-mapping.dmp

Download
memory/1944-266-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1944-261-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1944-187-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1944-257-0x0000000000000000-mapping.dmp

Download
memory/1944-192-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1960-195-0x0000000000000000-mapping.dmp

Download
memory/1960-204-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1960-199-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1972-202-0x0000000000000000-mapping.dmp

Download
memory/2000-71-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-76-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-62-0x0000000000000000-mapping.dmp

Download
memory/2004-258-0x0000000000000000-mapping.dmp

Download
memory/2012-227-0x0000000000000000-mapping.dmp

Download