97d9b40471910d2286d503377032ff934f0bd2ddfc57db0c23ded9c907ae540e

Analysis

max time kernel
83s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
03/12/2022, 21:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97d9b40471910d2286d503377032ff934f0bd2ddfc57db0c23ded9c907ae540e.exe
Size

3.0MB
MD5

f539e74b817d6e30ee32daef0ab6a016
SHA1

74962b6c4b46e1e76a141feb4901afa1e1123395
SHA256

97d9b40471910d2286d503377032ff934f0bd2ddfc57db0c23ded9c907ae540e
SHA512

f9e798c7a14f1474e538e803149cc3af6def8f65d4b1397ca33fd810f467745ffbc593df9419188739a440bd63793fcd3e839d99dfc7dd02b1c135c2055caf05
SSDEEP

24576:IDyTFtjEDyTFtjTDyTFtjBDyTFtj6DyTFtjcDyTFtjEDyTFtjTDyTFtjBDyTFtjW:BtxtItqtjt5txtItqtCt

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
940	tmp7143036.exe
1360	tmp7143067.exe
1224	tmp7143270.exe
1688	tmp7143457.exe
884	notpad.exe
1860	tmp7146015.exe
1436	notpad.exe
1032	tmp7143816.exe
296	tmp7143925.exe
1956	notpad.exe
1752	tmp7143987.exe
1628	tmp7146577.exe
1676	notpad.exe
1940	tmp7144393.exe
1924	tmp7147154.exe
788	tmp7147279.exe
912	tmp7144627.exe
608	tmp7144830.exe
1344	tmp7147310.exe
1696	notpad.exe
888	tmp7145251.exe
2016	tmp7147575.exe
2028	tmp7145438.exe
268	tmp7145594.exe
1864	notpad.exe
1372	tmp7145734.exe
1460	tmp7145922.exe
1860	tmp7146015.exe
1780	notpad.exe
1316	tmp7146156.exe
1892	notpad.exe
1636	tmp7146265.exe
1928	tmp7146202.exe
1176	notpad.exe
1508	tmp7146452.exe
1804	tmp7146343.exe
1352	notpad.exe
1628	tmp7146577.exe
1712	tmp7146717.exe
1552	notpad.exe
1624	tmp7146811.exe
1312	tmp7146936.exe
1988	tmp7147045.exe
760	notpad.exe
1924	tmp7147154.exe
1240	tmp7147185.exe
2036	notpad.exe
788	tmp7147279.exe
1344	tmp7147310.exe
1920	notpad.exe
1304	tmp7147435.exe
1184	tmp7147451.exe
708	notpad.exe
1564	tmp7147560.exe
2016	tmp7147575.exe
1152	notpad.exe
616	tmp7147685.exe
1084	tmp7147763.exe
1876	notpad.exe
856	tmp7147934.exe
808	tmp7147950.exe
1468	tmp7147997.exe
108	tmp7148012.exe
1464	notpad.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000b000000012315-58.dat	upx
behavioral1/files/0x000b000000012315-60.dat	upx
behavioral1/files/0x000b000000012315-62.dat	upx
behavioral1/files/0x000b000000012315-63.dat	upx
behavioral1/memory/1696-70-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000126a6-74.dat	upx
behavioral1/memory/1360-76-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000126a6-80.dat	upx
behavioral1/files/0x00080000000126a6-78.dat	upx
behavioral1/files/0x00080000000126a6-81.dat	upx
behavioral1/memory/884-86-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0008000000012346-88.dat	upx
behavioral1/files/0x00080000000126a6-91.dat	upx
behavioral1/files/0x00080000000126a6-92.dat	upx
behavioral1/files/0x00080000000126a6-94.dat	upx
behavioral1/memory/884-103-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0008000000012346-105.dat	upx
behavioral1/files/0x00080000000126a6-109.dat	upx
behavioral1/files/0x00080000000126a6-108.dat	upx
behavioral1/files/0x00080000000126a6-111.dat	upx
behavioral1/memory/1436-115-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000126a6-125.dat	upx
behavioral1/files/0x00080000000126a6-128.dat	upx
behavioral1/files/0x00080000000126a6-126.dat	upx
behavioral1/files/0x0008000000012346-122.dat	upx
behavioral1/memory/1956-132-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0008000000012346-139.dat	upx
behavioral1/memory/1676-150-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00080000000126a6-147.dat	upx
behavioral1/files/0x00080000000126a6-145.dat	upx
behavioral1/files/0x00080000000126a6-143.dat	upx
behavioral1/memory/788-159-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1696-163-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2016-165-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1696-168-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2016-172-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1864-178-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1780-187-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1892-191-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1176-197-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1352-203-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/760-213-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1552-208-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/2036-220-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/708-233-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1920-227-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1152-238-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1876-244-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/808-248-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1920-222-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1464-251-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1508-253-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1076-255-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1464-256-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1508-259-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1076-261-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1808-264-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1320-267-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1664-269-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1676-273-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1224-275-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1940-277-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1976-274-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1940-278-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
1696	97d9b40471910d2286d503377032ff934f0bd2ddfc57db0c23ded9c907ae540e.exe
1696	97d9b40471910d2286d503377032ff934f0bd2ddfc57db0c23ded9c907ae540e.exe
1696	97d9b40471910d2286d503377032ff934f0bd2ddfc57db0c23ded9c907ae540e.exe
1696	97d9b40471910d2286d503377032ff934f0bd2ddfc57db0c23ded9c907ae540e.exe
1360	tmp7143067.exe
1360	tmp7143067.exe
1360	tmp7143067.exe
1360	tmp7143067.exe
940	tmp7143036.exe
940	tmp7143036.exe
884	notpad.exe
884	notpad.exe
1860	tmp7146015.exe
1860	tmp7146015.exe
884	notpad.exe
1436	notpad.exe
1436	notpad.exe
296	tmp7143925.exe
296	tmp7143925.exe
1436	notpad.exe
1956	notpad.exe
1956	notpad.exe
1628	tmp7146577.exe
1628	tmp7146577.exe
1956	notpad.exe
1676	notpad.exe
1676	notpad.exe
1676	notpad.exe
1924	tmp7147154.exe
1924	tmp7147154.exe
788	tmp7147279.exe
788	tmp7147279.exe
788	tmp7147279.exe
608	tmp7144830.exe
608	tmp7144830.exe
1696	notpad.exe
1696	notpad.exe
888	tmp7145251.exe
888	tmp7145251.exe
1696	notpad.exe
2016	tmp7147575.exe
2016	tmp7147575.exe
2016	tmp7147575.exe
268	tmp7145594.exe
268	tmp7145594.exe
1864	notpad.exe
1864	notpad.exe
1460	tmp7145922.exe
1864	notpad.exe
1460	tmp7145922.exe
1780	notpad.exe
1780	notpad.exe
1316	tmp7146156.exe
1316	tmp7146156.exe
1780	notpad.exe
1892	notpad.exe
1892	notpad.exe
1636	tmp7146265.exe
1636	tmp7146265.exe
1176	notpad.exe
1892	notpad.exe
1176	notpad.exe
1508	tmp7146452.exe
1176	notpad.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notpad.exe	tmp7147435.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7147560.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7184048.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7189228.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7143925.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7145922.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7178994.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7227869.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7147154.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7144830.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7145251.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7146936.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7178994.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7185593.exe
File created	C:\Windows\SysWOW64\fsb.tmp	tmp7143036.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7143036.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7147154.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7146156.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7146452.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7149057.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7227869.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7185593.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7146577.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7145922.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7146452.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7147435.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7242237.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7144830.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7145251.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7146265.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7147279.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7147685.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7147560.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7189789.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7227869.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7146015.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7143925.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7145594.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7146717.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7146717.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7242237.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7146265.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7146452.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7147934.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7149057.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7184220.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7147685.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7189789.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7242237.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7143925.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7146577.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7146577.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7145594.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7146156.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7143036.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7145922.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7146717.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7146936.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7147435.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7144830.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7147560.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7178994.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7185593.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7146015.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 27 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7146936.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7145922.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7146717.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7147934.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7189228.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7147154.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7146156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7146452.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7147560.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7147685.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7149057.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7178994.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7146577.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7144830.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7146265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7147435.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7145251.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7184220.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7242237.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7147279.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7189789.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7227869.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7146015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7143925.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7145594.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7143036.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7185593.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 940	1696	97d9b40471910d2286d503377032ff934f0bd2ddfc57db0c23ded9c907ae540e.exe	28
PID 1696 wrote to memory of 940	1696	97d9b40471910d2286d503377032ff934f0bd2ddfc57db0c23ded9c907ae540e.exe	28
PID 1696 wrote to memory of 940	1696	97d9b40471910d2286d503377032ff934f0bd2ddfc57db0c23ded9c907ae540e.exe	28
PID 1696 wrote to memory of 940	1696	97d9b40471910d2286d503377032ff934f0bd2ddfc57db0c23ded9c907ae540e.exe	28
PID 1696 wrote to memory of 1360	1696	97d9b40471910d2286d503377032ff934f0bd2ddfc57db0c23ded9c907ae540e.exe	29
PID 1696 wrote to memory of 1360	1696	97d9b40471910d2286d503377032ff934f0bd2ddfc57db0c23ded9c907ae540e.exe	29
PID 1696 wrote to memory of 1360	1696	97d9b40471910d2286d503377032ff934f0bd2ddfc57db0c23ded9c907ae540e.exe	29
PID 1696 wrote to memory of 1360	1696	97d9b40471910d2286d503377032ff934f0bd2ddfc57db0c23ded9c907ae540e.exe	29
PID 1360 wrote to memory of 1224	1360	tmp7143067.exe	30
PID 1360 wrote to memory of 1224	1360	tmp7143067.exe	30
PID 1360 wrote to memory of 1224	1360	tmp7143067.exe	30
PID 1360 wrote to memory of 1224	1360	tmp7143067.exe	30
PID 1360 wrote to memory of 1688	1360	tmp7143067.exe	31
PID 1360 wrote to memory of 1688	1360	tmp7143067.exe	31
PID 1360 wrote to memory of 1688	1360	tmp7143067.exe	31
PID 1360 wrote to memory of 1688	1360	tmp7143067.exe	31
PID 940 wrote to memory of 884	940	tmp7143036.exe	32
PID 940 wrote to memory of 884	940	tmp7143036.exe	32
PID 940 wrote to memory of 884	940	tmp7143036.exe	32
PID 940 wrote to memory of 884	940	tmp7143036.exe	32
PID 884 wrote to memory of 1860	884	notpad.exe	55
PID 884 wrote to memory of 1860	884	notpad.exe	55
PID 884 wrote to memory of 1860	884	notpad.exe	55
PID 884 wrote to memory of 1860	884	notpad.exe	55
PID 1860 wrote to memory of 1436	1860	tmp7146015.exe	34
PID 1860 wrote to memory of 1436	1860	tmp7146015.exe	34
PID 1860 wrote to memory of 1436	1860	tmp7146015.exe	34
PID 1860 wrote to memory of 1436	1860	tmp7146015.exe	34
PID 884 wrote to memory of 1032	884	notpad.exe	35
PID 884 wrote to memory of 1032	884	notpad.exe	35
PID 884 wrote to memory of 1032	884	notpad.exe	35
PID 884 wrote to memory of 1032	884	notpad.exe	35
PID 1436 wrote to memory of 296	1436	notpad.exe	36
PID 1436 wrote to memory of 296	1436	notpad.exe	36
PID 1436 wrote to memory of 296	1436	notpad.exe	36
PID 1436 wrote to memory of 296	1436	notpad.exe	36
PID 296 wrote to memory of 1956	296	tmp7143925.exe	37
PID 296 wrote to memory of 1956	296	tmp7143925.exe	37
PID 296 wrote to memory of 1956	296	tmp7143925.exe	37
PID 296 wrote to memory of 1956	296	tmp7143925.exe	37
PID 1436 wrote to memory of 1752	1436	notpad.exe	38
PID 1436 wrote to memory of 1752	1436	notpad.exe	38
PID 1436 wrote to memory of 1752	1436	notpad.exe	38
PID 1436 wrote to memory of 1752	1436	notpad.exe	38
PID 1956 wrote to memory of 1628	1956	notpad.exe	64
PID 1956 wrote to memory of 1628	1956	notpad.exe	64
PID 1956 wrote to memory of 1628	1956	notpad.exe	64
PID 1956 wrote to memory of 1628	1956	notpad.exe	64
PID 1628 wrote to memory of 1676	1628	tmp7146577.exe	40
PID 1628 wrote to memory of 1676	1628	tmp7146577.exe	40
PID 1628 wrote to memory of 1676	1628	tmp7146577.exe	40
PID 1628 wrote to memory of 1676	1628	tmp7146577.exe	40
PID 1956 wrote to memory of 1940	1956	notpad.exe	39
PID 1956 wrote to memory of 1940	1956	notpad.exe	39
PID 1956 wrote to memory of 1940	1956	notpad.exe	39
PID 1956 wrote to memory of 1940	1956	notpad.exe	39
PID 1676 wrote to memory of 1924	1676	notpad.exe	70
PID 1676 wrote to memory of 1924	1676	notpad.exe	70
PID 1676 wrote to memory of 1924	1676	notpad.exe	70
PID 1676 wrote to memory of 1924	1676	notpad.exe	70
PID 1676 wrote to memory of 912	1676	notpad.exe	44
PID 1676 wrote to memory of 912	1676	notpad.exe	44
PID 1676 wrote to memory of 912	1676	notpad.exe	44
PID 1676 wrote to memory of 912	1676	notpad.exe	44

C:\Users\Admin\AppData\Local\Temp\97d9b40471910d2286d503377032ff934f0bd2ddfc57db0c23ded9c907ae540e.exe
"C:\Users\Admin\AppData\Local\Temp\97d9b40471910d2286d503377032ff934f0bd2ddfc57db0c23ded9c907ae540e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\tmp7143036.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7143036.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:940
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:884
  - - C:\Users\Admin\AppData\Local\Temp\tmp7143706.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7143706.exe
      4⤵
      PID:1860
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1436
      - C:\Users\Admin\AppData\Local\Temp\tmp7143925.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143925.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:296
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144393.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144393.exe
        8⤵
        Executes dropped EXE
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144174.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7144174.exe
        8⤵
        
        PID:1628
      - C:\Users\Admin\AppData\Local\Temp\tmp7143987.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7143987.exe
        6⤵
        Executes dropped EXE
        
        PID:1752
  - - C:\Users\Admin\AppData\Local\Temp\tmp7143816.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7143816.exe
      4⤵
      Executes dropped EXE
      PID:1032
- C:\Users\Admin\AppData\Local\Temp\tmp7143067.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7143067.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Users\Admin\AppData\Local\Temp\tmp7143270.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7143270.exe
    3⤵
    - Executes dropped EXE
    PID:1224
- - C:\Users\Admin\AppData\Local\Temp\tmp7143457.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7143457.exe
    3⤵
    - Executes dropped EXE
    PID:1688

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Users\Admin\AppData\Local\Temp\tmp7144502.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7144502.exe
  2⤵
  PID:1924
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:788
  - - C:\Users\Admin\AppData\Local\Temp\tmp7144830.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7144830.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      PID:608
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1696
      - C:\Users\Admin\AppData\Local\Temp\tmp7145251.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145251.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:888
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145594.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145594.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:268
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145922.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145922.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1460
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146156.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146265.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146452.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146452.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1508
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        Executes dropped EXE
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146717.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146717.exe
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1712
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        Executes dropped EXE
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146936.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146936.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1312
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        Executes dropped EXE
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147045.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147045.exe
        20⤵
        Executes dropped EXE
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146811.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146811.exe
        18⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189290.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189290.exe
        19⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189508.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189508.exe
        20⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189399.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189399.exe
        20⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189181.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189181.exe
        19⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146577.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146577.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146343.exe
        14⤵
        Executes dropped EXE
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146202.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146202.exe
        12⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146015.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145734.exe
        8⤵
        Executes dropped EXE
        
        PID:1372
      - C:\Users\Admin\AppData\Local\Temp\tmp7145438.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7145438.exe
        6⤵
        Executes dropped EXE
        
        PID:2028
    - - C:\Users\Admin\AppData\Local\Temp\tmp7189820.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189820.exe
        5⤵
        
        PID:2036
    - - C:\Users\Admin\AppData\Local\Temp\tmp7189742.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189742.exe
        5⤵
        
        PID:1140
  - - C:\Users\Admin\AppData\Local\Temp\tmp7145017.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7145017.exe
      4⤵
      PID:1344
- C:\Users\Admin\AppData\Local\Temp\tmp7144627.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7144627.exe
  2⤵
  - Executes dropped EXE
  PID:912
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:980
  - - C:\Users\Admin\AppData\Local\Temp\tmp7189789.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7189789.exe
      4⤵
      Drops file in System32 directory
      Modifies registry class
      PID:2044
    - - C:\Users\Admin\AppData\Local\Temp\tmp7189852.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189852.exe
        5⤵
        
        PID:468
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191739.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191739.exe
        7⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200818.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200818.exe
        9⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212238.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212238.exe
        9⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213907.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213907.exe
        10⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214094.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214094.exe
        10⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200787.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7200787.exe
        7⤵
        
        PID:1908
    - - C:\Users\Admin\AppData\Local\Temp\tmp7191256.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191256.exe
        5⤵
        
        PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\tmp7189727.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7189727.exe
      4⤵
      PID:564
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:1372
      - C:\Users\Admin\AppData\Local\Temp\tmp7191302.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191302.exe
        6⤵
        
        PID:556
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230225.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230225.exe
        8⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230630.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230630.exe
        10⤵
        
        PID:852
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232050.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232050.exe
        12⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234749.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234749.exe
        12⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235825.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235825.exe
        13⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\tmp7243157.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7243157.exe
        13⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230864.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230864.exe
        10⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231223.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231223.exe
        11⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235232.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235232.exe
        13⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\tmp7260161.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7260161.exe
        15⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmp7261160.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7261160.exe
        17⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7262330.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7262330.exe
        19⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp7263047.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7263047.exe
        19⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7264248.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7264248.exe
        20⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7271659.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7271659.exe
        22⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmp7272907.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7272907.exe
        22⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7273624.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7273624.exe
        23⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7274513.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7274513.exe
        23⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7265169.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7265169.exe
        20⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\tmp7261643.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7261643.exe
        17⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7262298.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7262298.exe
        18⤵
        
        PID:540
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7263827.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7263827.exe
        20⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\tmp7264888.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7264888.exe
        22⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7270504.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7270504.exe
        22⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7272345.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7272345.exe
        23⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\tmp7273219.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7273219.exe
        25⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\tmp7273765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7273765.exe
        27⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7273593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7273593.exe
        25⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp7273905.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7273905.exe
        26⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp7274857.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7274857.exe
        28⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7276713.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7276713.exe
        30⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\tmp7277431.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7277431.exe
        32⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp7278491.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7278491.exe
        34⤵
        
        PID:564
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\tmp7291299.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7291299.exe
        36⤵
        
        PID:948
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7292251.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7292251.exe
        38⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7291549.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7291549.exe
        36⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\tmp7280878.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7280878.exe
        34⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7289458.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7289458.exe
        35⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp7291564.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7291564.exe
        35⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmp7277743.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7277743.exe
        32⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7280597.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7280597.exe
        33⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\tmp7284841.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7284841.exe
        33⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp7291424.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7291424.exe
        34⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7291985.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7291985.exe
        34⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\tmp7276994.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7276994.exe
        30⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7277602.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7277602.exe
        31⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7277774.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7277774.exe
        31⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp7278039.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7278039.exe
        32⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\tmp7280925.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7280925.exe
        34⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7280738.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7280738.exe
        32⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp7275637.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7275637.exe
        28⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp7275964.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7275964.exe
        29⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7276214.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7276214.exe
        29⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp7274264.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7274264.exe
        26⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\tmp7272860.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7272860.exe
        23⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7264701.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7264701.exe
        20⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp7265247.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7265247.exe
        21⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\tmp7271503.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7271503.exe
        21⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7263172.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7263172.exe
        18⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\tmp7260380.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7260380.exe
        15⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\tmp7261752.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7261752.exe
        16⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp7261846.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7261846.exe
        16⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7242237.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7242237.exe
        13⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:272
        
        C:\Users\Admin\AppData\Local\Temp\tmp7246527.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7246527.exe
        14⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7260941.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7260941.exe
        14⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232128.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232128.exe
        11⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230443.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230443.exe
        8⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230583.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230583.exe
        9⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231457.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231457.exe
        9⤵
        
        PID:1624
      - C:\Users\Admin\AppData\Local\Temp\tmp7191599.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191599.exe
        6⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194220.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7194220.exe
        7⤵
        
        PID:1228
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212285.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7212285.exe
        9⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214874.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214874.exe
        11⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215779.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215779.exe
        11⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216918.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216918.exe
        12⤵
        
        PID:1240
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229289.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229289.exe
        14⤵
        
        PID:296
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229866.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229866.exe
        16⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230053.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230053.exe
        18⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230069.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230069.exe
        18⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230178.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230178.exe
        19⤵
        
        PID:856
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230412.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230412.exe
        21⤵
        
        PID:1076
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233672.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7233672.exe
        23⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234764.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234764.exe
        23⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235731.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7235731.exe
        24⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7246527.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7246527.exe
        24⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231239.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7231239.exe
        21⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232206.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7232206.exe
        22⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234951.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7234951.exe
        22⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230193.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230193.exe
        19⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229819.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229819.exe
        14⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230037.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230037.exe
        15⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230084.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7230084.exe
        15⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226605.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7226605.exe
        12⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213954.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7213954.exe
        9⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7214781.exe
        10⤵
        
        PID:852
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216153.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216153.exe
        12⤵
        
        PID:832
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216528.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216528.exe
        14⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227869.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227869.exe
        16⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229055.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229055.exe
        16⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229725.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229725.exe
        17⤵
        
        PID:652
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229772.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7229772.exe
        17⤵
        
        PID:108
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216980.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216980.exe
        14⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227526.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227526.exe
        15⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228602.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7228602.exe
        15⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216247.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216247.exe
        12⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217152.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7217152.exe
        13⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227557.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7227557.exe
        13⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215701.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7215701.exe
        10⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206060.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7206060.exe
        7⤵
        
        PID:1640

C:\Users\Admin\AppData\Local\Temp\tmp7147154.exe
C:\Users\Admin\AppData\Local\Temp\tmp7147154.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
PID:1924
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  PID:2036
- - C:\Users\Admin\AppData\Local\Temp\tmp7147279.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7147279.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Modifies registry class
    PID:788
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      PID:1920
    - - C:\Users\Admin\AppData\Local\Temp\tmp7147451.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147451.exe
        5⤵
        Executes dropped EXE
        
        PID:1184
    - - C:\Users\Admin\AppData\Local\Temp\tmp7147435.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147435.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1304
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147560.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147560.exe
        7⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147685.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147685.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:616
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147763.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147763.exe
        9⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147575.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7147575.exe
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2016
- - C:\Users\Admin\AppData\Local\Temp\tmp7147310.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7147310.exe
    3⤵
    - Executes dropped EXE
    PID:1344

C:\Users\Admin\AppData\Local\Temp\tmp7147185.exe
C:\Users\Admin\AppData\Local\Temp\tmp7147185.exe
1⤵
- Executes dropped EXE
PID:1240

C:\Users\Admin\AppData\Local\Temp\tmp7147950.exe
C:\Users\Admin\AppData\Local\Temp\tmp7147950.exe
1⤵
- Executes dropped EXE
PID:808
- C:\Users\Admin\AppData\Local\Temp\tmp7148012.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7148012.exe
  2⤵
  - Executes dropped EXE
  PID:108
- C:\Users\Admin\AppData\Local\Temp\tmp7147997.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7147997.exe
  2⤵
  - Executes dropped EXE
  PID:1468

C:\Users\Admin\AppData\Local\Temp\tmp7147934.exe
C:\Users\Admin\AppData\Local\Temp\tmp7147934.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:856
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  PID:1464
- - C:\Users\Admin\AppData\Local\Temp\tmp7149057.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7149057.exe
    3⤵
    - Drops file in System32 directory
    - Modifies registry class
    PID:1700
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1508
    - - C:\Users\Admin\AppData\Local\Temp\tmp7178994.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178994.exe
        5⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1176
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184048.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184048.exe
        7⤵
        Drops file in System32 directory
        
        PID:832
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184220.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184220.exe
        9⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184594.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184594.exe
        11⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184641.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184641.exe
        11⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185031.exe
        12⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185156.exe
        12⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184267.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184267.exe
        9⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184470.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184470.exe
        10⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185078.exe
        12⤵
        
        PID:940
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185390.exe
        14⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185452.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185452.exe
        14⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185109.exe
        12⤵
        
        PID:708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185265.exe
        13⤵
        
        PID:272
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185593.exe
        15⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186654.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186654.exe
        17⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187075.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187075.exe
        17⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187449.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187449.exe
        18⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187917.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187917.exe
        18⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186201.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186201.exe
        15⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186466.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186466.exe
        16⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186747.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7186747.exe
        16⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7185421.exe
        13⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184610.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184610.exe
        10⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184095.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184095.exe
        7⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184329.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184329.exe
        8⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184563.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7184563.exe
        8⤵
        
        PID:2036
    - - C:\Users\Admin\AppData\Local\Temp\tmp7182473.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7182473.exe
        5⤵
        
        PID:1320
      - C:\Users\Admin\AppData\Local\Temp\tmp7183159.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183159.exe
        6⤵
        
        PID:1712
      - C:\Users\Admin\AppData\Local\Temp\tmp7183986.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7183986.exe
        6⤵
        
        PID:1816
- - C:\Users\Admin\AppData\Local\Temp\tmp7178916.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7178916.exe
    3⤵
    PID:1076
  - - C:\Users\Admin\AppData\Local\Temp\tmp7179041.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7179041.exe
      4⤵
      PID:1620
  - - C:\Users\Admin\AppData\Local\Temp\tmp7182504.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7182504.exe
      4⤵
      PID:1888

C:\Users\Admin\AppData\Local\Temp\tmp7187215.exe
C:\Users\Admin\AppData\Local\Temp\tmp7187215.exe
1⤵
PID:1476
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\tmp7188978.exe
    C:\Users\Admin\AppData\Local\Temp\tmp7188978.exe
    3⤵
    PID:1492

C:\Users\Admin\AppData\Local\Temp\tmp7187371.exe
C:\Users\Admin\AppData\Local\Temp\tmp7187371.exe
1⤵
PID:592
- C:\Users\Admin\AppData\Local\Temp\tmp7187902.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7187902.exe
  2⤵
  PID:1356
- C:\Users\Admin\AppData\Local\Temp\tmp7188744.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7188744.exe
  2⤵
  PID:1176

C:\Users\Admin\AppData\Local\Temp\tmp7188526.exe
C:\Users\Admin\AppData\Local\Temp\tmp7188526.exe
1⤵
PID:1508
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1624

C:\Users\Admin\AppData\Local\Temp\tmp7189446.exe
C:\Users\Admin\AppData\Local\Temp\tmp7189446.exe
1⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\tmp7189618.exe
C:\Users\Admin\AppData\Local\Temp\tmp7189618.exe
1⤵
PID:608

C:\Users\Admin\AppData\Local\Temp\tmp7189274.exe
C:\Users\Admin\AppData\Local\Temp\tmp7189274.exe
1⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\tmp7189228.exe
C:\Users\Admin\AppData\Local\Temp\tmp7189228.exe
1⤵
- Drops file in System32 directory
- Modifies registry class
PID:832

C:\Users\Admin\AppData\Local\Temp\tmp7212097.exe
C:\Users\Admin\AppData\Local\Temp\tmp7212097.exe
1⤵
PID:972

C:\Users\Admin\AppData\Local\Temp\tmp7211973.exe
C:\Users\Admin\AppData\Local\Temp\tmp7211973.exe
1⤵
PID:1668

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7143036.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7143036.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7143067.exe

Filesize
201KB

MD5
2280cf04f6dc9d3f8edf4d91ae30c52b

SHA1
964329c715430e8a670dc959de2db0d09616c0cb

SHA256
e025ea0d8b3b4aebad30d407d8e2b34cbf8d65e3eb26fe31db0a81ebfcf8f5c5

SHA512
1c0244e0d3b6619417136056cb0ec4f972649251f8105595a3aeebdcfc4a9784a83c710b4cf56fd81e8f3cde2b4e25eea6e1fd745ab936b24adfd92086de412b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7143067.exe

Filesize
201KB

MD5
2280cf04f6dc9d3f8edf4d91ae30c52b

SHA1
964329c715430e8a670dc959de2db0d09616c0cb

SHA256
e025ea0d8b3b4aebad30d407d8e2b34cbf8d65e3eb26fe31db0a81ebfcf8f5c5

SHA512
1c0244e0d3b6619417136056cb0ec4f972649251f8105595a3aeebdcfc4a9784a83c710b4cf56fd81e8f3cde2b4e25eea6e1fd745ab936b24adfd92086de412b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7143270.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7143457.exe

Filesize
67KB

MD5
5e28284f9b5f9097640d58a73d38ad4c

SHA1
7a90f8b051bc82cc9cadbcc9ba345ced02891a6c

SHA256
865f34fe7ba81e9622ddbdfc511547d190367bbf3dad21ceb6da3eec621044f5

SHA512
cb7218cfea8813ae8c7acf6f7511aecbeb9d697986e0eb8538065bf9e3e9c6ced9c29270eb677f5acf08d2e94b21018d8c4a376aa646fa73ce831fc87d448934

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7143706.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7143706.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7143816.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7143925.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7143925.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7143987.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7144174.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7144174.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7144393.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7144502.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7144502.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7144627.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
123KB

MD5
80dde3d324b6127cf7956804d4c88f6b

SHA1
708c136be7d876947f517ca84eef9607d5054e50

SHA256
90f5f93586efea8a89a3b1b9352d60991aea9a2563c9791eb1e14258d9fcf5d5

SHA512
33a398d8bdadaadf8da320605d0a23c351b5196c58395d329065e61a9bc276b454f9934873831419063b0192ff72dadea0556e3ec01857700a36f5155ff87d01

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
123KB

MD5
80dde3d324b6127cf7956804d4c88f6b

SHA1
708c136be7d876947f517ca84eef9607d5054e50

SHA256
90f5f93586efea8a89a3b1b9352d60991aea9a2563c9791eb1e14258d9fcf5d5

SHA512
33a398d8bdadaadf8da320605d0a23c351b5196c58395d329065e61a9bc276b454f9934873831419063b0192ff72dadea0556e3ec01857700a36f5155ff87d01

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7143036.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7143036.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7143067.exe

Filesize
201KB

MD5
2280cf04f6dc9d3f8edf4d91ae30c52b

SHA1
964329c715430e8a670dc959de2db0d09616c0cb

SHA256
e025ea0d8b3b4aebad30d407d8e2b34cbf8d65e3eb26fe31db0a81ebfcf8f5c5

SHA512
1c0244e0d3b6619417136056cb0ec4f972649251f8105595a3aeebdcfc4a9784a83c710b4cf56fd81e8f3cde2b4e25eea6e1fd745ab936b24adfd92086de412b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7143067.exe

Filesize
201KB

MD5
2280cf04f6dc9d3f8edf4d91ae30c52b

SHA1
964329c715430e8a670dc959de2db0d09616c0cb

SHA256
e025ea0d8b3b4aebad30d407d8e2b34cbf8d65e3eb26fe31db0a81ebfcf8f5c5

SHA512
1c0244e0d3b6619417136056cb0ec4f972649251f8105595a3aeebdcfc4a9784a83c710b4cf56fd81e8f3cde2b4e25eea6e1fd745ab936b24adfd92086de412b

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7143270.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7143270.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7143457.exe

Filesize
67KB

MD5
5e28284f9b5f9097640d58a73d38ad4c

SHA1
7a90f8b051bc82cc9cadbcc9ba345ced02891a6c

SHA256
865f34fe7ba81e9622ddbdfc511547d190367bbf3dad21ceb6da3eec621044f5

SHA512
cb7218cfea8813ae8c7acf6f7511aecbeb9d697986e0eb8538065bf9e3e9c6ced9c29270eb677f5acf08d2e94b21018d8c4a376aa646fa73ce831fc87d448934

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7143457.exe

Filesize
67KB

MD5
5e28284f9b5f9097640d58a73d38ad4c

SHA1
7a90f8b051bc82cc9cadbcc9ba345ced02891a6c

SHA256
865f34fe7ba81e9622ddbdfc511547d190367bbf3dad21ceb6da3eec621044f5

SHA512
cb7218cfea8813ae8c7acf6f7511aecbeb9d697986e0eb8538065bf9e3e9c6ced9c29270eb677f5acf08d2e94b21018d8c4a376aa646fa73ce831fc87d448934

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7143706.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7143706.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7143816.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7143925.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7143925.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7143987.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7144174.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7144174.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7144393.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7144502.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7144502.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7144627.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7144830.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7144830.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
memory/592-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/592-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/608-324-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/708-233-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/708-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/756-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/760-213-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/788-159-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/808-248-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/820-288-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/884-103-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/884-86-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/888-282-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/940-59-0x0000000074AB1000-0x0000000074AB3000-memory.dmp

Filesize
8KB

Download
memory/980-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1032-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1076-261-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1076-255-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1152-238-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1176-197-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1224-281-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1224-275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1320-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1320-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1352-203-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1360-76-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1436-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1436-115-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1436-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1464-254-0x00000000003C0000-0x00000000003DF000-memory.dmp

Filesize
124KB

Download
memory/1464-251-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1464-256-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1492-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1508-253-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1508-259-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1552-208-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1580-303-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1624-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1664-269-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1676-150-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1676-273-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1696-168-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1696-163-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1696-70-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1720-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1780-187-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1808-264-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1864-178-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1876-244-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1892-191-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1920-227-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1920-222-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1924-151-0x0000000000580000-0x000000000058D000-memory.dmp

Filesize
52KB

Download
memory/1928-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1928-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1940-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1940-278-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1956-132-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1976-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2012-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2012-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2016-165-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2016-172-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2032-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2036-220-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download