9ce381c6f38cd073449aa6b1ad1dac208de03cd4c8a61f941430d456e8d1c08d

Analysis

max time kernel
150s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
06/12/2022, 00:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ce381c6f38cd073449aa6b1ad1dac208de03cd4c8a61f941430d456e8d1c08d.exe
Size

6.0MB
MD5

6c5903a2a6cb7f49b75c751c186cd0a6
SHA1

7b03a48a2e695ada8522833a815820e1d6be52f9
SHA256

9ce381c6f38cd073449aa6b1ad1dac208de03cd4c8a61f941430d456e8d1c08d
SHA512

0b4ccc0da4171fe837956584937975bc84de31ecffea5c2dda4fc0c8ac448898aea4991fa618dfa8fc25b0bd89675b62eaddab657584243657a9fcc3f27e23e6
SSDEEP

98304:utqt0tItqtGtItqtTtItqtEtItqtltItqtKtItqt:YsqmsAmshmsamsXmsMms

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1104	tmp7118076.exe
940	tmp7118122.exe
2008	notpad.exe
1656	tmp7121133.exe
472	tmp7121164.exe
1496	notpad.exe
1148	tmp7121352.exe
2020	tmp7121461.exe
704	notpad.exe
1696	tmp7146109.exe
1776	tmp7156015.exe
1040	notpad.exe
1972	tmp7156951.exe
556	notpad.exe
1116	tmp7157029.exe
1012	tmp7157216.exe
1556	tmp7157357.exe
936	notpad.exe
2012	tmp7157622.exe
2040	tmp7157731.exe
1192	notpad.exe
2036	tmp7157887.exe
1104	tmp7158027.exe
1020	notpad.exe
1760	tmp7158199.exe
656	tmp7158215.exe
1964	notpad.exe
1656	tmp7158339.exe
280	tmp7158371.exe
1928	notpad.exe
324	tmp7158558.exe
1688	tmp7158667.exe
1132	notpad.exe
1940	tmp7158761.exe
1724	tmp7158807.exe
1636	notpad.exe
1408	tmp7159026.exe
1384	tmp7159057.exe
436	notpad.exe
1764	tmp7159151.exe
1700	tmp7159119.exe
1884	tmp7159213.exe
852	notpad.exe
1720	tmp7159353.exe
1420	tmp7159338.exe
1116	notpad.exe
1304	tmp7159447.exe
1668	tmp7159541.exe
560	tmp7159619.exe
820	notpad.exe
1556	tmp7159634.exe
1756	tmp7159775.exe
884	tmp7159650.exe
1600	tmp7159806.exe
2012	tmp7159899.exe
1072	notpad.exe
1296	tmp7160009.exe
1900	tmp7159790.exe
1020	notpad.exe
472	tmp7160071.exe
756	notpad.exe
332	tmp7160133.exe
1516	tmp7160118.exe
280	tmp7160024.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1732-64-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1732-65-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0008000000012767-67.dat	upx
behavioral1/files/0x0008000000012767-70.dat	upx
behavioral1/files/0x0008000000012767-68.dat	upx
behavioral1/files/0x0008000000012767-71.dat	upx
behavioral1/files/0x00090000000126a6-77.dat	upx
behavioral1/files/0x0008000000012767-88.dat	upx
behavioral1/files/0x0008000000012767-86.dat	upx
behavioral1/files/0x0008000000012767-85.dat	upx
behavioral1/memory/2008-83-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1496-94-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000126a6-96.dat	upx
behavioral1/memory/1496-106-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0008000000012767-107.dat	upx
behavioral1/files/0x0008000000012767-102.dat	upx
behavioral1/files/0x0008000000012767-101.dat	upx
behavioral1/memory/704-108-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000126a6-114.dat	upx
behavioral1/memory/704-120-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0008000000012767-122.dat	upx
behavioral1/files/0x0008000000012767-125.dat	upx
behavioral1/files/0x0008000000012767-123.dat	upx
behavioral1/files/0x00090000000126a6-131.dat	upx
behavioral1/files/0x0008000000012767-134.dat	upx
behavioral1/files/0x0008000000012767-135.dat	upx
behavioral1/files/0x0008000000012767-138.dat	upx
behavioral1/memory/1040-142-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x00090000000126a6-148.dat	upx
behavioral1/memory/556-154-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/files/0x0008000000012767-156.dat	upx
behavioral1/memory/936-161-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1192-168-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1020-174-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1964-179-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1928-187-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1132-191-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1636-198-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1384-202-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/436-205-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1884-211-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/852-215-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1116-221-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1304-227-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1556-229-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/820-230-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1556-232-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/820-238-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1900-249-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1020-252-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1072-250-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/756-253-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/280-256-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1928-259-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/524-263-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/812-266-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1932-269-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1408-268-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/672-270-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/944-271-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1200-272-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/704-274-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/852-273-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral1/memory/1764-275-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Loads dropped DLL 64 IoCs

pid	Process
1732	9ce381c6f38cd073449aa6b1ad1dac208de03cd4c8a61f941430d456e8d1c08d.exe
1732	9ce381c6f38cd073449aa6b1ad1dac208de03cd4c8a61f941430d456e8d1c08d.exe
1732	9ce381c6f38cd073449aa6b1ad1dac208de03cd4c8a61f941430d456e8d1c08d.exe
1732	9ce381c6f38cd073449aa6b1ad1dac208de03cd4c8a61f941430d456e8d1c08d.exe
1104	tmp7118076.exe
1104	tmp7118076.exe
2008	notpad.exe
2008	notpad.exe
2008	notpad.exe
1656	tmp7121133.exe
1656	tmp7121133.exe
1496	notpad.exe
1496	notpad.exe
1496	notpad.exe
1148	tmp7121352.exe
1148	tmp7121352.exe
704	notpad.exe
704	notpad.exe
704	notpad.exe
1696	tmp7146109.exe
1696	tmp7146109.exe
1040	notpad.exe
1040	notpad.exe
1972	tmp7156951.exe
1972	tmp7156951.exe
1040	notpad.exe
556	notpad.exe
556	notpad.exe
556	notpad.exe
1012	tmp7157216.exe
1012	tmp7157216.exe
936	notpad.exe
936	notpad.exe
936	notpad.exe
2012	tmp7157622.exe
2012	tmp7157622.exe
1192	notpad.exe
1192	notpad.exe
1192	notpad.exe
2036	tmp7157887.exe
2036	tmp7157887.exe
1020	notpad.exe
1020	notpad.exe
1020	notpad.exe
1760	tmp7158199.exe
1760	tmp7158199.exe
1964	notpad.exe
1964	notpad.exe
1964	notpad.exe
1656	tmp7158339.exe
1656	tmp7158339.exe
1928	notpad.exe
1928	notpad.exe
1928	notpad.exe
324	tmp7158558.exe
324	tmp7158558.exe
1132	notpad.exe
1132	notpad.exe
1132	notpad.exe
1940	tmp7158761.exe
1940	tmp7158761.exe
1636	notpad.exe
1636	notpad.exe
1636	notpad.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7218057.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7221052.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7159151.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7159775.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7190210.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7191973.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7118076.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7157216.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7190210.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7190054.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7224765.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7156951.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7157216.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7157887.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7160009.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7158339.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7158761.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7161444.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7219929.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7189072.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7224593.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7146109.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7157887.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7158199.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7187106.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7163144.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7189072.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7163144.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7190756.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7190756.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7218837.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7157622.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7159026.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7160071.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7160773.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7221114.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7220163.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7188619.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7190210.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7218837.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7219242.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7162021.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7188760.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7161444.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7188463.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7191973.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7219632.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7158199.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7160399.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7160399.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7161444.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7159151.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7189072.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp7190382.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7220537.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7160133.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7163144.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7188463.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7188619.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp7187574.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7188900.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7222877.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7224499.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp7121133.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 57 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7157622.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7160180.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7162021.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7219429.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7224593.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7190382.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7224765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7157216.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7187106.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7190507.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7191973.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7221052.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7118076.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7159353.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7160071.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7161444.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7189072.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7121352.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7190054.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7218837.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7188619.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7157887.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7158558.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7188900.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7219289.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7156951.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7158339.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7221114.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7159775.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7219929.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7224499.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7160009.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7190756.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7216637.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7220163.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7187574.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7218057.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7219632.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7146109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7160133.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7188463.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7219242.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7121133.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7159541.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7160773.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7158199.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7159026.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7161303.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7163066.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7222877.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7163144.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7188760.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7158761.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7159151.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7160399.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7190210.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp7220537.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 1104	1732	9ce381c6f38cd073449aa6b1ad1dac208de03cd4c8a61f941430d456e8d1c08d.exe	27
PID 1732 wrote to memory of 1104	1732	9ce381c6f38cd073449aa6b1ad1dac208de03cd4c8a61f941430d456e8d1c08d.exe	27
PID 1732 wrote to memory of 1104	1732	9ce381c6f38cd073449aa6b1ad1dac208de03cd4c8a61f941430d456e8d1c08d.exe	27
PID 1732 wrote to memory of 1104	1732	9ce381c6f38cd073449aa6b1ad1dac208de03cd4c8a61f941430d456e8d1c08d.exe	27
PID 1732 wrote to memory of 940	1732	9ce381c6f38cd073449aa6b1ad1dac208de03cd4c8a61f941430d456e8d1c08d.exe	28
PID 1732 wrote to memory of 940	1732	9ce381c6f38cd073449aa6b1ad1dac208de03cd4c8a61f941430d456e8d1c08d.exe	28
PID 1732 wrote to memory of 940	1732	9ce381c6f38cd073449aa6b1ad1dac208de03cd4c8a61f941430d456e8d1c08d.exe	28
PID 1732 wrote to memory of 940	1732	9ce381c6f38cd073449aa6b1ad1dac208de03cd4c8a61f941430d456e8d1c08d.exe	28
PID 1104 wrote to memory of 2008	1104	tmp7118076.exe	29
PID 1104 wrote to memory of 2008	1104	tmp7118076.exe	29
PID 1104 wrote to memory of 2008	1104	tmp7118076.exe	29
PID 1104 wrote to memory of 2008	1104	tmp7118076.exe	29
PID 2008 wrote to memory of 1656	2008	notpad.exe	30
PID 2008 wrote to memory of 1656	2008	notpad.exe	30
PID 2008 wrote to memory of 1656	2008	notpad.exe	30
PID 2008 wrote to memory of 1656	2008	notpad.exe	30
PID 2008 wrote to memory of 472	2008	notpad.exe	31
PID 2008 wrote to memory of 472	2008	notpad.exe	31
PID 2008 wrote to memory of 472	2008	notpad.exe	31
PID 2008 wrote to memory of 472	2008	notpad.exe	31
PID 1656 wrote to memory of 1496	1656	tmp7121133.exe	32
PID 1656 wrote to memory of 1496	1656	tmp7121133.exe	32
PID 1656 wrote to memory of 1496	1656	tmp7121133.exe	32
PID 1656 wrote to memory of 1496	1656	tmp7121133.exe	32
PID 1496 wrote to memory of 1148	1496	notpad.exe	33
PID 1496 wrote to memory of 1148	1496	notpad.exe	33
PID 1496 wrote to memory of 1148	1496	notpad.exe	33
PID 1496 wrote to memory of 1148	1496	notpad.exe	33
PID 1496 wrote to memory of 2020	1496	notpad.exe	34
PID 1496 wrote to memory of 2020	1496	notpad.exe	34
PID 1496 wrote to memory of 2020	1496	notpad.exe	34
PID 1496 wrote to memory of 2020	1496	notpad.exe	34
PID 1148 wrote to memory of 704	1148	tmp7121352.exe	35
PID 1148 wrote to memory of 704	1148	tmp7121352.exe	35
PID 1148 wrote to memory of 704	1148	tmp7121352.exe	35
PID 1148 wrote to memory of 704	1148	tmp7121352.exe	35
PID 704 wrote to memory of 1696	704	notpad.exe	36
PID 704 wrote to memory of 1696	704	notpad.exe	36
PID 704 wrote to memory of 1696	704	notpad.exe	36
PID 704 wrote to memory of 1696	704	notpad.exe	36
PID 704 wrote to memory of 1776	704	notpad.exe	37
PID 704 wrote to memory of 1776	704	notpad.exe	37
PID 704 wrote to memory of 1776	704	notpad.exe	37
PID 704 wrote to memory of 1776	704	notpad.exe	37
PID 1696 wrote to memory of 1040	1696	tmp7146109.exe	38
PID 1696 wrote to memory of 1040	1696	tmp7146109.exe	38
PID 1696 wrote to memory of 1040	1696	tmp7146109.exe	38
PID 1696 wrote to memory of 1040	1696	tmp7146109.exe	38
PID 1040 wrote to memory of 1972	1040	notpad.exe	39
PID 1040 wrote to memory of 1972	1040	notpad.exe	39
PID 1040 wrote to memory of 1972	1040	notpad.exe	39
PID 1040 wrote to memory of 1972	1040	notpad.exe	39
PID 1972 wrote to memory of 556	1972	tmp7156951.exe	41
PID 1972 wrote to memory of 556	1972	tmp7156951.exe	41
PID 1972 wrote to memory of 556	1972	tmp7156951.exe	41
PID 1972 wrote to memory of 556	1972	tmp7156951.exe	41
PID 1040 wrote to memory of 1116	1040	notpad.exe	40
PID 1040 wrote to memory of 1116	1040	notpad.exe	40
PID 1040 wrote to memory of 1116	1040	notpad.exe	40
PID 1040 wrote to memory of 1116	1040	notpad.exe	40
PID 556 wrote to memory of 1012	556	notpad.exe	42
PID 556 wrote to memory of 1012	556	notpad.exe	42
PID 556 wrote to memory of 1012	556	notpad.exe	42
PID 556 wrote to memory of 1012	556	notpad.exe	42

C:\Users\Admin\AppData\Local\Temp\9ce381c6f38cd073449aa6b1ad1dac208de03cd4c8a61f941430d456e8d1c08d.exe
"C:\Users\Admin\AppData\Local\Temp\9ce381c6f38cd073449aa6b1ad1dac208de03cd4c8a61f941430d456e8d1c08d.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\tmp7118076.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7118076.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1104
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2008
  - - C:\Users\Admin\AppData\Local\Temp\tmp7121133.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7121133.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1496
      - C:\Users\Admin\AppData\Local\Temp\tmp7121352.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121352.exe
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1148
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7146109.exe
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156951.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156951.exe
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1972
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157216.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157216.exe
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1012
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157622.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157622.exe
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157887.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157887.exe
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158199.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158199.exe
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1760
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158339.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158339.exe
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158558.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158558.exe
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:324
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158761.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158761.exe
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159026.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159026.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        Executes dropped EXE
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159151.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159151.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        Executes dropped EXE
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159353.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159353.exe
        30⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159541.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159541.exe
        32⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1668
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        Executes dropped EXE
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159775.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159775.exe
        34⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        Executes dropped EXE
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160009.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160009.exe
        36⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1296
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        Executes dropped EXE
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160133.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160133.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:332
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160445.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160445.exe
        40⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160898.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160898.exe
        40⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161444.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161444.exe
        41⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162302.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162302.exe
        43⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162458.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162458.exe
        43⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164314.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164314.exe
        44⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187137.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187137.exe
        44⤵
        
        PID:280
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161849.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161849.exe
        41⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160165.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160165.exe
        38⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160757.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160757.exe
        39⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160024.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160024.exe
        36⤵
        Executes dropped EXE
        
        PID:280
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160258.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160258.exe
        37⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160367.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160367.exe
        37⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159790.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159790.exe
        34⤵
        Executes dropped EXE
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160071.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160071.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:472
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        Executes dropped EXE
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160305.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160305.exe
        37⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160664.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160664.exe
        38⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161038.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161038.exe
        38⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160180.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160180.exe
        37⤵
        Modifies registry class
        
        PID:1076
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        38⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160773.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160773.exe
        39⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:616
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        40⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161303.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161303.exe
        41⤵
        Modifies registry class
        
        PID:1972
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161709.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161709.exe
        43⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162083.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162083.exe
        43⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163066.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163066.exe
        44⤵
        Modifies registry class
        
        PID:1900
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187153.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187153.exe
        46⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187324.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187324.exe
        46⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187574.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187574.exe
        47⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1884
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        48⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188494.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188494.exe
        49⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188510.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188510.exe
        49⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188619.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188619.exe
        50⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188791.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188791.exe
        52⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188838.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188838.exe
        52⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188900.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188900.exe
        53⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:936
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189072.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189072.exe
        55⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        56⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190070.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190070.exe
        57⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190101.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190101.exe
        57⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190226.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190226.exe
        58⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190242.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190242.exe
        58⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189914.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189914.exe
        55⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190054.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190054.exe
        56⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        57⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190210.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190210.exe
        58⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1688
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        59⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190382.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190382.exe
        60⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:804
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        61⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190694.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190694.exe
        62⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190741.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190741.exe
        62⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190788.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190788.exe
        63⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192004.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7192004.exe
        63⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190460.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190460.exe
        60⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190507.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190507.exe
        61⤵
        Modifies registry class
        
        PID:616
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        62⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190756.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190756.exe
        63⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        64⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216637.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216637.exe
        65⤵
        Modifies registry class
        
        PID:1384
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        66⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218837.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218837.exe
        67⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        68⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219289.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219289.exe
        69⤵
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        70⤵
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219632.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219632.exe
        71⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1220
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        72⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220163.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220163.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        74⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220724.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220724.exe
        75⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221021.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221021.exe
        75⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221099.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221099.exe
        76⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222315.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222315.exe
        76⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220428.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220428.exe
        73⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220818.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220818.exe
        74⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221145.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221145.exe
        74⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219851.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219851.exe
        71⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219523.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219523.exe
        69⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219695.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219695.exe
        70⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219960.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219960.exe
        70⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219211.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219211.exe
        67⤵
        
        PID:284
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219429.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219429.exe
        68⤵
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        69⤵
        
        PID:280
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219929.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219929.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        71⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220537.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220537.exe
        72⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        73⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221052.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221052.exe
        74⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        75⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221333.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221333.exe
        76⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222378.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222378.exe
        76⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222877.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222877.exe
        77⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1068
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        78⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224499.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224499.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        80⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224811.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224811.exe
        81⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247338.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7247338.exe
        81⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224733.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224733.exe
        79⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224765.exe
        80⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225903.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7225903.exe
        80⤵
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224219.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224219.exe
        77⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221286.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221286.exe
        74⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224265.exe
        75⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222425.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222425.exe
        75⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220802.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220802.exe
        72⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221114.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7221114.exe
        73⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        74⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222830.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222830.exe
        75⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224250.exe
        75⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224593.exe
        76⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1700
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        77⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224905.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224905.exe
        78⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224858.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7224858.exe
        76⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222237.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7222237.exe
        73⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220178.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220178.exe
        70⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220365.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220365.exe
        71⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220490.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220490.exe
        71⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219741.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219741.exe
        68⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218041.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218041.exe
        65⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218337.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218337.exe
        66⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219195.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219195.exe
        66⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191942.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191942.exe
        63⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191973.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7191973.exe
        64⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1624
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        65⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218057.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218057.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1744
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        67⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219242.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219242.exe
        68⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2040
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        69⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219539.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219539.exe
        70⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219570.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219570.exe
        70⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219835.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219835.exe
        71⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220038.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7220038.exe
        71⤵
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219492.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219492.exe
        68⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219648.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219648.exe
        69⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219851.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219851.exe
        69⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218868.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7218868.exe
        66⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219383.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219383.exe
        67⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219507.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7219507.exe
        67⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216840.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7216840.exe
        64⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190647.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190647.exe
        61⤵
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190288.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190288.exe
        58⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190444.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190444.exe
        59⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190476.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190476.exe
        59⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190086.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7190086.exe
        56⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188962.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188962.exe
        53⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188697.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188697.exe
        50⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188307.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188307.exe
        47⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178214.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7178214.exe
        44⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161475.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161475.exe
        41⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162021.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162021.exe
        42⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163144.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7163144.exe
        44⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:656
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177606.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7177606.exe
        46⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187059.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187059.exe
        46⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187246.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187246.exe
        47⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187262.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187262.exe
        47⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164345.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7164345.exe
        44⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187106.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187106.exe
        45⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1496
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        46⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187449.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187449.exe
        47⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188323.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188323.exe
        47⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188463.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188463.exe
        48⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1976
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188682.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188682.exe
        50⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188713.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188713.exe
        50⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188760.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188760.exe
        51⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:944
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        52⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188884.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188884.exe
        53⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188947.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188947.exe
        53⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188994.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188994.exe
        54⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189883.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7189883.exe
        54⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188775.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188775.exe
        51⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188479.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7188479.exe
        48⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187309.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7187309.exe
        45⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162239.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7162239.exe
        42⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160867.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160867.exe
        39⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161116.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161116.exe
        40⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161569.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161569.exe
        40⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160118.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160118.exe
        35⤵
        Executes dropped EXE
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159634.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159634.exe
        32⤵
        Executes dropped EXE
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159806.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159806.exe
        33⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159899.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159899.exe
        33⤵
        Executes dropped EXE
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159447.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159447.exe
        30⤵
        Executes dropped EXE
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159619.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159619.exe
        31⤵
        Executes dropped EXE
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159650.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159650.exe
        31⤵
        Executes dropped EXE
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159213.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159213.exe
        28⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159338.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159338.exe
        29⤵
        Executes dropped EXE
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159057.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159057.exe
        26⤵
        Executes dropped EXE
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159119.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7159119.exe
        27⤵
        Executes dropped EXE
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158807.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158807.exe
        24⤵
        Executes dropped EXE
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158667.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158667.exe
        22⤵
        Executes dropped EXE
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160399.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160399.exe
        22⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160913.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7160913.exe
        24⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161101.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161101.exe
        24⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161647.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161647.exe
        25⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161865.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7161865.exe
        25⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158371.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158371.exe
        20⤵
        Executes dropped EXE
        
        PID:280
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158215.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158215.exe
        18⤵
        Executes dropped EXE
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158027.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7158027.exe
        16⤵
        Executes dropped EXE
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157731.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157731.exe
        14⤵
        Executes dropped EXE
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157357.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157357.exe
        12⤵
        Executes dropped EXE
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157029.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7157029.exe
        10⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7156015.exe
        8⤵
        Executes dropped EXE
        
        PID:1776
      - C:\Users\Admin\AppData\Local\Temp\tmp7121461.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp7121461.exe
        6⤵
        Executes dropped EXE
        
        PID:2020
  - - C:\Users\Admin\AppData\Local\Temp\tmp7121164.exe
      C:\Users\Admin\AppData\Local\Temp\tmp7121164.exe
      4⤵
      Executes dropped EXE
      PID:472
- C:\Users\Admin\AppData\Local\Temp\tmp7118122.exe
  C:\Users\Admin\AppData\Local\Temp\tmp7118122.exe
  2⤵
  - Executes dropped EXE
  PID:940

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7118076.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7118076.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7118122.exe

Filesize
67KB

MD5
5e28284f9b5f9097640d58a73d38ad4c

SHA1
7a90f8b051bc82cc9cadbcc9ba345ced02891a6c

SHA256
865f34fe7ba81e9622ddbdfc511547d190367bbf3dad21ceb6da3eec621044f5

SHA512
cb7218cfea8813ae8c7acf6f7511aecbeb9d697986e0eb8538065bf9e3e9c6ced9c29270eb677f5acf08d2e94b21018d8c4a376aa646fa73ce831fc87d448934

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7121133.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7121133.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7121164.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7121352.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7121352.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7121461.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7146109.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7146109.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7156015.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7156951.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7156951.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7157029.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7157216.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7157216.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7157357.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
123KB

MD5
80dde3d324b6127cf7956804d4c88f6b

SHA1
708c136be7d876947f517ca84eef9607d5054e50

SHA256
90f5f93586efea8a89a3b1b9352d60991aea9a2563c9791eb1e14258d9fcf5d5

SHA512
33a398d8bdadaadf8da320605d0a23c351b5196c58395d329065e61a9bc276b454f9934873831419063b0192ff72dadea0556e3ec01857700a36f5155ff87d01

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
123KB

MD5
80dde3d324b6127cf7956804d4c88f6b

SHA1
708c136be7d876947f517ca84eef9607d5054e50

SHA256
90f5f93586efea8a89a3b1b9352d60991aea9a2563c9791eb1e14258d9fcf5d5

SHA512
33a398d8bdadaadf8da320605d0a23c351b5196c58395d329065e61a9bc276b454f9934873831419063b0192ff72dadea0556e3ec01857700a36f5155ff87d01

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7118076.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7118076.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7118122.exe

Filesize
67KB

MD5
5e28284f9b5f9097640d58a73d38ad4c

SHA1
7a90f8b051bc82cc9cadbcc9ba345ced02891a6c

SHA256
865f34fe7ba81e9622ddbdfc511547d190367bbf3dad21ceb6da3eec621044f5

SHA512
cb7218cfea8813ae8c7acf6f7511aecbeb9d697986e0eb8538065bf9e3e9c6ced9c29270eb677f5acf08d2e94b21018d8c4a376aa646fa73ce831fc87d448934

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7118122.exe

Filesize
67KB

MD5
5e28284f9b5f9097640d58a73d38ad4c

SHA1
7a90f8b051bc82cc9cadbcc9ba345ced02891a6c

SHA256
865f34fe7ba81e9622ddbdfc511547d190367bbf3dad21ceb6da3eec621044f5

SHA512
cb7218cfea8813ae8c7acf6f7511aecbeb9d697986e0eb8538065bf9e3e9c6ced9c29270eb677f5acf08d2e94b21018d8c4a376aa646fa73ce831fc87d448934

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7121133.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7121133.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7121164.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7121352.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7121352.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7121461.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7146109.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7146109.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7156015.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7156951.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7156951.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7157029.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7157216.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7157216.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
\Users\Admin\AppData\Local\Temp\tmp7157357.exe

Filesize
175KB

MD5
d378bffb70923139d6a4f546864aa61c

SHA1
f00aa51c2ed8b2f656318fdc01ee1cf5441011a4

SHA256
c4232ddd4d37b9c0884bd44d8476578c54d7f98d58945728e425736a6a07e102

SHA512
7c09ec193d91d3cadb7e58c634b8666d8d6243b3ee7d4d4755eeb82bac62b9508e78aa3c53106bfe72d7a437f650b29a54116663e1b4da11613a30656cccc663

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
\Windows\SysWOW64\notpad.exe

Filesize
309KB

MD5
ab781223d00dd2a2cc345f6246ee016d

SHA1
ac3818a007e78a85f63135699e6c5955fc617a19

SHA256
d71ba3a04124512578224d37e52b3c0adf66e8acb67bda8f41a9ceec212aa6df

SHA512
c7baacc06f54ffd9122155e6d0ebf463ef2976a9ef04c9522635ba7c836c6e20b0083d6c02c558f53d99c15ff485fa28dc17a466e6cb6385a6fbe77402478cb1

Download Submit
memory/280-256-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/436-205-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/524-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/556-154-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/672-270-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/672-279-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/704-120-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/704-108-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/704-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/704-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/756-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/756-253-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/812-266-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/820-230-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/820-238-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/824-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/824-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/824-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/852-215-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/852-273-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/852-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/936-161-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/940-62-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/944-283-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/944-271-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1020-174-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1020-252-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1040-142-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1072-250-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1116-221-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1132-191-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1192-168-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1200-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1200-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1304-227-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1384-202-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1408-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1492-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1492-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1492-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1496-106-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1496-94-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1556-229-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1556-232-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1572-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1636-198-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1648-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1648-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1648-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1656-89-0x00000000007A0000-0x00000000007AD000-memory.dmp

Filesize
52KB

Download
memory/1708-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1708-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1732-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1732-64-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1764-275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1764-285-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1884-211-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1900-249-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1928-187-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1928-259-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1932-269-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1964-179-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2000-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2008-83-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download