e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718.exe
Size

677KB
MD5

53a0d67cfbb64e20eff3ddd31f35ff50
SHA1

d7de4394a18b0a44137579b4edd9f560e5db04d0
SHA256

e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718
SHA512

6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb
SSDEEP

12288:vR9PeP2R9PAP2R9PyP2R9PPP2R9PVP2R9PtP2R9PsP2R9PeP2R9PQP2R9P5P2R95:vRhRHRJRARyR+RzRtRrRuRyRfR9DyTFl

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

notpad.exetmp240595234.exetmp240595500.exenotpad.exetmp240595984.exetmp240596062.exenotpad.exetmp240596468.exetmp240596531.exenotpad.exetmp240596828.exetmp240596906.exenotpad.exetmp240597359.exetmp240597437.exenotpad.exetmp240597828.exetmp240597906.exenotpad.exetmp240598187.exetmp240598515.exenotpad.exetmp240598875.exetmp240598984.exenotpad.exetmp240599421.exetmp240599453.exenotpad.exetmp240599953.exetmp240600312.exenotpad.exetmp240600671.exetmp240600734.exenotpad.exetmp240601046.exetmp240601109.exenotpad.exetmp240601359.exetmp240601406.exenotpad.exetmp240601781.exetmp240601890.exenotpad.exetmp240602218.exetmp240602500.exenotpad.exetmp240602781.exetmp240602875.exenotpad.exetmp240603171.exetmp240603640.exenotpad.exetmp240603906.exetmp240604046.exenotpad.exetmp240604328.exetmp240604390.exenotpad.exetmp240604625.exetmp240604640.exenotpad.exetmp240604906.exetmp240605109.exenotpad.exe

pid	process
3372	notpad.exe
5084	tmp240595234.exe
1892	tmp240595500.exe
2992	notpad.exe
1696	tmp240595984.exe
2264	tmp240596062.exe
5048	notpad.exe
4656	tmp240596468.exe
3628	tmp240596531.exe
1912	notpad.exe
1568	tmp240596828.exe
3028	tmp240596906.exe
3632	notpad.exe
2112	tmp240597359.exe
1256	tmp240597437.exe
540	notpad.exe
2960	tmp240597828.exe
2372	tmp240597906.exe
2152	notpad.exe
1784	tmp240598187.exe
2444	tmp240598515.exe
1936	notpad.exe
1876	tmp240598875.exe
1640	tmp240598984.exe
4588	notpad.exe
2332	tmp240599421.exe
3076	tmp240599453.exe
1392	notpad.exe
2720	tmp240599953.exe
2316	tmp240600312.exe
840	notpad.exe
4284	tmp240600671.exe
1108	tmp240600734.exe
2380	notpad.exe
2344	tmp240601046.exe
3800	tmp240601109.exe
2656	notpad.exe
1172	tmp240601359.exe
3088	tmp240601406.exe
4516	notpad.exe
4448	tmp240601781.exe
3100	tmp240601890.exe
4760	notpad.exe
756	tmp240602218.exe
3972	tmp240602500.exe
4428	notpad.exe
4024	tmp240602781.exe
3144	tmp240602875.exe
1728	notpad.exe
2320	tmp240603171.exe
4308	tmp240603640.exe
4772	notpad.exe
1824	tmp240603906.exe
2916	tmp240604046.exe
4324	notpad.exe
224	tmp240604328.exe
112	tmp240604390.exe
3696	notpad.exe
2572	tmp240604625.exe
3672	tmp240604640.exe
4732	notpad.exe
3640	tmp240604906.exe
1684	tmp240605109.exe
1952	notpad.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\notpad.exe	upx
behavioral2/memory/3372-140-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\fsb.stb	upx
behavioral2/memory/3372-143-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\fsb.stb	upx
behavioral2/memory/2992-153-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\notpad.exe	upx
behavioral2/memory/5048-161-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\fsb.stb	upx
behavioral2/memory/5048-164-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\fsb.stb	upx
behavioral2/memory/1912-174-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\fsb.stb	upx
behavioral2/memory/3632-184-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\fsb.stb	upx
behavioral2/memory/540-194-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\notpad.exe	upx
behavioral2/memory/2152-204-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\fsb.stb	upx
C:\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\fsb.stb	upx
behavioral2/memory/1936-214-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\fsb.stb	upx
behavioral2/memory/4588-224-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\fsb.stb	upx
behavioral2/memory/1392-234-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\notpad.exe	upx
behavioral2/memory/840-240-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/840-242-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2380-246-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2656-250-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4516-253-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4516-255-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4760-259-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4428-263-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1728-267-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4772-269-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4772-272-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4324-276-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3696-280-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4732-282-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4732-285-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1952-287-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1256-288-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1256-289-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2832-290-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2368-291-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4208-292-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4208-293-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4340-294-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3788-295-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1420-296-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3816-297-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3816-298-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1884-299-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3404-300-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1156-301-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp240607656.exetmp240604906.exetmp240612843.exetmp240623593.exetmp240607218.exetmp240624078.exetmp240625484.exetmp240640750.exetmp240597828.exetmp240598187.exetmp240598875.exetmp240624953.exetmp240633812.exetmp240641421.exetmp240601359.exetmp240617093.exetmp240628843.exetmp240639703.exetmp240601046.exetmp240603906.exenotpad.exetmp240595984.exetmp240604625.exetmp240632343.exetmp240599421.exetmp240615640.exetmp240635906.exetmp240638109.exetmp240609375.exetmp240642765.exetmp240612281.exetmp240622296.exetmp240640000.exetmp240616796.exetmp240626406.exetmp240627515.exetmp240606531.exetmp240609843.exetmp240611765.exetmp240618843.exetmp240645281.exee191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718.exetmp240604328.exetmp240608421.exetmp240603171.exetmp240630546.exetmp240631015.exetmp240624562.exetmp240646687.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240607656.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240604906.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240612843.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240623593.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240607218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240624078.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240625484.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240640750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240597828.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240598187.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240598875.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240624953.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240633812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240641421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240601359.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240617093.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240628843.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240639703.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240601046.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240603906.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	notpad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240595984.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240604625.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240632343.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240599421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240615640.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240635906.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240638109.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240609375.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240642765.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240612281.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240622296.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240640000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240616796.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240626406.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240627515.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240606531.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240609843.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240611765.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240618843.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240645281.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240604328.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240608421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240603171.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240630546.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240631015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240624562.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240646687.exe

Drops file in System32 directory 64 IoCs

Processes:

tmp240607656.exetmp240618015.exetmp240624078.exetmp240604906.exetmp240615640.exetmp240633281.exetmp240612281.exetmp240614093.exetmp240643046.exetmp240651218.exetmp240596828.exetmp240623000.exetmp240624953.exetmp240608000.exetmp240612625.exetmp240609375.exetmp240630078.exetmp240632343.exetmp240640171.exetmp240640750.exetmp240646687.exetmp240605875.exetmp240627515.exetmp240642765.exetmp240614906.exetmp240625484.exetmp240626406.exetmp240624562.exetmp240602218.exetmp240631609.exetmp240647750.exetmp240600671.exetmp240608421.exetmp240597359.exetmp240628046.exetmp240595234.exetmp240623593.exe

description	ioc	process
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240607656.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240618015.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240624078.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240604906.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240604906.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240615640.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240633281.exe
File created	C:\Windows\SysWOW64\notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240612281.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240614093.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240643046.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240651218.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240596828.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240623000.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240624953.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240608000.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240612625.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240609375.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240630078.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240632343.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240640171.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240640750.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240646687.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb
File created	C:\Windows\SysWOW64\notpad.exe	tmp240605875.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240614093.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240627515.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240642765.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240646687.exe
File created	C:\Windows\SysWOW64\notpad.exe-
File created	C:\Windows\SysWOW64\notpad.exe-
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240614906.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240625484.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240626406.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240640171.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb
File opened for modification	C:\Windows\SysWOW64\fsb.stb
File created	C:\Windows\SysWOW64\notpad.exe-
File created	C:\Windows\SysWOW64\notpad.exe	tmp240612625.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240624562.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240602218.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240631609.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240627515.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240647750.exe
File created	C:\Windows\SysWOW64\notpad.exe-
File created	C:\Windows\SysWOW64\notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240600671.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240608421.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240625484.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb
File opened for modification	C:\Windows\SysWOW64\fsb.tmp
File created	C:\Windows\SysWOW64\notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240597359.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240624953.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240628046.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240640750.exe
File created	C:\Windows\SysWOW64\notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240595234.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240623593.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

tmp240624078.exetmp240624953.exetmp240600671.exetmp240596828.exetmp240605359.exetmp240606234.exetmp240632812.exetmp240652687.exetmp240606531.exetmp240607656.exetmp240621921.exetmp240647750.exetmp240597828.exetmp240598875.exetmp240616359.exetmp240625953.exetmp240629546.exetmp240641421.exetmp240599953.exetmp240601781.exetmp240612281.exetmp240615640.exenotpad.exetmp240595984.exetmp240618843.exetmp240637109.exetmp240608421.exetmp240609140.exetmp240608000.exetmp240619656.exetmp240630078.exetmp240638109.exee191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718.exetmp240598187.exetmp240619312.exetmp240624562.exetmp240642765.exetmp240647453.exetmp240606906.exetmp240609843.exetmp240620312.exetmp240622296.exetmp240634171.exetmp240643046.exetmp240639703.exetmp240601046.exetmp240605875.exetmp240610984.exetmp240640171.exetmp240646687.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240624078.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240624953.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240600671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240596828.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240605359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240606234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240632812.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240652687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240606531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240607656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240621921.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240647750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240597828.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240598875.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240616359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240625953.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240629546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240641421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240599953.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240601781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240612281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240615640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240595984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240618843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240637109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240608421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240609140.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240608000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240619656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240630078.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240638109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240598187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240619312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240624562.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240642765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240647453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240606906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240609843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240620312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240622296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240634171.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240643046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240639703.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240601046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240605875.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240610984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240640171.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240646687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718.exenotpad.exetmp240595234.exenotpad.exetmp240595984.exenotpad.exetmp240596468.exenotpad.exetmp240596828.exenotpad.exetmp240597359.exenotpad.exetmp240597828.exenotpad.exetmp240598187.exe

description	pid	process	target process
PID 3204 wrote to memory of 3372	3204	e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718.exe	notpad.exe
PID 3204 wrote to memory of 3372	3204	e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718.exe	notpad.exe
PID 3204 wrote to memory of 3372	3204	e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718.exe	notpad.exe
PID 3372 wrote to memory of 5084	3372	notpad.exe	tmp240595234.exe
PID 3372 wrote to memory of 5084	3372	notpad.exe	tmp240595234.exe
PID 3372 wrote to memory of 5084	3372	notpad.exe	tmp240595234.exe
PID 3372 wrote to memory of 1892	3372	notpad.exe	tmp240595500.exe
PID 3372 wrote to memory of 1892	3372	notpad.exe	tmp240595500.exe
PID 3372 wrote to memory of 1892	3372	notpad.exe	tmp240595500.exe
PID 5084 wrote to memory of 2992	5084	tmp240595234.exe	notpad.exe
PID 5084 wrote to memory of 2992	5084	tmp240595234.exe	notpad.exe
PID 5084 wrote to memory of 2992	5084	tmp240595234.exe	notpad.exe
PID 2992 wrote to memory of 1696	2992	notpad.exe	tmp240595984.exe
PID 2992 wrote to memory of 1696	2992	notpad.exe	tmp240595984.exe
PID 2992 wrote to memory of 1696	2992	notpad.exe	tmp240595984.exe
PID 2992 wrote to memory of 2264	2992	notpad.exe	tmp240596062.exe
PID 2992 wrote to memory of 2264	2992	notpad.exe	tmp240596062.exe
PID 2992 wrote to memory of 2264	2992	notpad.exe	tmp240596062.exe
PID 1696 wrote to memory of 5048	1696	tmp240595984.exe	notpad.exe
PID 1696 wrote to memory of 5048	1696	tmp240595984.exe	notpad.exe
PID 1696 wrote to memory of 5048	1696	tmp240595984.exe	notpad.exe
PID 5048 wrote to memory of 4656	5048	notpad.exe	tmp240596468.exe
PID 5048 wrote to memory of 4656	5048	notpad.exe	tmp240596468.exe
PID 5048 wrote to memory of 4656	5048	notpad.exe	tmp240596468.exe
PID 5048 wrote to memory of 3628	5048	notpad.exe	tmp240596531.exe
PID 5048 wrote to memory of 3628	5048	notpad.exe	tmp240596531.exe
PID 5048 wrote to memory of 3628	5048	notpad.exe	tmp240596531.exe
PID 4656 wrote to memory of 1912	4656	tmp240596468.exe	notpad.exe
PID 4656 wrote to memory of 1912	4656	tmp240596468.exe	notpad.exe
PID 4656 wrote to memory of 1912	4656	tmp240596468.exe	notpad.exe
PID 1912 wrote to memory of 1568	1912	notpad.exe	tmp240596828.exe
PID 1912 wrote to memory of 1568	1912	notpad.exe	tmp240596828.exe
PID 1912 wrote to memory of 1568	1912	notpad.exe	tmp240596828.exe
PID 1912 wrote to memory of 3028	1912	notpad.exe	tmp240596906.exe
PID 1912 wrote to memory of 3028	1912	notpad.exe	tmp240596906.exe
PID 1912 wrote to memory of 3028	1912	notpad.exe	tmp240596906.exe
PID 1568 wrote to memory of 3632	1568	tmp240596828.exe	notpad.exe
PID 1568 wrote to memory of 3632	1568	tmp240596828.exe	notpad.exe
PID 1568 wrote to memory of 3632	1568	tmp240596828.exe	notpad.exe
PID 3632 wrote to memory of 2112	3632	notpad.exe	tmp240597359.exe
PID 3632 wrote to memory of 2112	3632	notpad.exe	tmp240597359.exe
PID 3632 wrote to memory of 2112	3632	notpad.exe	tmp240597359.exe
PID 3632 wrote to memory of 1256	3632	notpad.exe	tmp240597437.exe
PID 3632 wrote to memory of 1256	3632	notpad.exe	tmp240597437.exe
PID 3632 wrote to memory of 1256	3632	notpad.exe	tmp240597437.exe
PID 2112 wrote to memory of 540	2112	tmp240597359.exe	notpad.exe
PID 2112 wrote to memory of 540	2112	tmp240597359.exe	notpad.exe
PID 2112 wrote to memory of 540	2112	tmp240597359.exe	notpad.exe
PID 540 wrote to memory of 2960	540	notpad.exe	tmp240597828.exe
PID 540 wrote to memory of 2960	540	notpad.exe	tmp240597828.exe
PID 540 wrote to memory of 2960	540	notpad.exe	tmp240597828.exe
PID 540 wrote to memory of 2372	540	notpad.exe	tmp240597906.exe
PID 540 wrote to memory of 2372	540	notpad.exe	tmp240597906.exe
PID 540 wrote to memory of 2372	540	notpad.exe	tmp240597906.exe
PID 2960 wrote to memory of 2152	2960	tmp240597828.exe	notpad.exe
PID 2960 wrote to memory of 2152	2960	tmp240597828.exe	notpad.exe
PID 2960 wrote to memory of 2152	2960	tmp240597828.exe	notpad.exe
PID 2152 wrote to memory of 1784	2152	notpad.exe	tmp240598187.exe
PID 2152 wrote to memory of 1784	2152	notpad.exe	tmp240598187.exe
PID 2152 wrote to memory of 1784	2152	notpad.exe	tmp240598187.exe
PID 2152 wrote to memory of 2444	2152	notpad.exe	tmp240598515.exe
PID 2152 wrote to memory of 2444	2152	notpad.exe	tmp240598515.exe
PID 2152 wrote to memory of 2444	2152	notpad.exe	tmp240598515.exe
PID 1784 wrote to memory of 1936	1784	tmp240598187.exe	notpad.exe

C:\Users\Admin\AppData\Local\Temp\e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718.exe
"C:\Users\Admin\AppData\Local\Temp\e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3372

C:\Users\Admin\AppData\Local\Temp\tmp240595234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240595234.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2992

C:\Users\Admin\AppData\Local\Temp\tmp240595984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240595984.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5048

C:\Users\Admin\AppData\Local\Temp\tmp240596468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240596468.exe
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4656

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1912

C:\Users\Admin\AppData\Local\Temp\tmp240596828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240596828.exe
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1568

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632

C:\Users\Admin\AppData\Local\Temp\tmp240597359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597359.exe
11⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2112

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540

C:\Users\Admin\AppData\Local\Temp\tmp240597828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597828.exe
13⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2960

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2152

C:\Users\Admin\AppData\Local\Temp\tmp240598187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598187.exe
15⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
16⤵
- Executes dropped EXE
PID:1936

C:\Users\Admin\AppData\Local\Temp\tmp240598875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598875.exe
17⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:1876

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
18⤵
- Executes dropped EXE
PID:4588

C:\Users\Admin\AppData\Local\Temp\tmp240599421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599421.exe
19⤵
- Executes dropped EXE
- Checks computer location settings
PID:2332

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
20⤵
- Executes dropped EXE
PID:1392

C:\Users\Admin\AppData\Local\Temp\tmp240599953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599953.exe
21⤵
- Executes dropped EXE
- Modifies registry class
PID:2720

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
22⤵
- Executes dropped EXE
PID:840

C:\Users\Admin\AppData\Local\Temp\tmp240600671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600671.exe
23⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4284

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
24⤵
- Executes dropped EXE
PID:2380

C:\Users\Admin\AppData\Local\Temp\tmp240601046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240601046.exe
25⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:2344

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
26⤵
- Executes dropped EXE
PID:2656

C:\Users\Admin\AppData\Local\Temp\tmp240601359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240601359.exe
27⤵
- Executes dropped EXE
- Checks computer location settings
PID:1172

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
28⤵
- Executes dropped EXE
PID:4516

C:\Users\Admin\AppData\Local\Temp\tmp240601781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240601781.exe
29⤵
- Executes dropped EXE
- Modifies registry class
PID:4448

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
30⤵
- Executes dropped EXE
PID:4760

C:\Users\Admin\AppData\Local\Temp\tmp240602218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240602218.exe
31⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:756

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
32⤵
- Executes dropped EXE
PID:4428

C:\Users\Admin\AppData\Local\Temp\tmp240602781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240602781.exe
33⤵
- Executes dropped EXE
PID:4024

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
34⤵
- Executes dropped EXE
PID:1728

C:\Users\Admin\AppData\Local\Temp\tmp240603171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240603171.exe
35⤵
- Executes dropped EXE
- Checks computer location settings
PID:2320

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
36⤵
- Executes dropped EXE
PID:4772

C:\Users\Admin\AppData\Local\Temp\tmp240603906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240603906.exe
37⤵
- Executes dropped EXE
- Checks computer location settings
PID:1824

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
38⤵
- Executes dropped EXE
PID:4324

C:\Users\Admin\AppData\Local\Temp\tmp240604328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240604328.exe
39⤵
- Executes dropped EXE
- Checks computer location settings
PID:224

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
40⤵
- Executes dropped EXE
PID:3696

C:\Users\Admin\AppData\Local\Temp\tmp240604625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240604625.exe
41⤵
- Executes dropped EXE
- Checks computer location settings
PID:2572

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
42⤵
- Executes dropped EXE
PID:4732

C:\Users\Admin\AppData\Local\Temp\tmp240604906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240604906.exe
43⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
PID:3640

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
44⤵
- Executes dropped EXE
PID:1952

C:\Users\Admin\AppData\Local\Temp\tmp240605359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240605359.exe
45⤵
- Modifies registry class
PID:3708

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
46⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\tmp240605875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240605875.exe
47⤵
- Drops file in System32 directory
- Modifies registry class
PID:4492

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
48⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\tmp240606234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606234.exe
49⤵
- Modifies registry class
PID:5056

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
50⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\tmp240606531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606531.exe
51⤵
- Checks computer location settings
- Modifies registry class
PID:2960

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
52⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\tmp240606906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606906.exe
53⤵
- Modifies registry class
PID:1404

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
54⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\tmp240607218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607218.exe
55⤵
- Checks computer location settings
PID:4944

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
56⤵
PID:3788

C:\Users\Admin\AppData\Local\Temp\tmp240607656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607656.exe
57⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3644

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
58⤵
PID:3816

C:\Users\Admin\AppData\Local\Temp\tmp240608000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240608000.exe
59⤵
- Drops file in System32 directory
- Modifies registry class
PID:2332

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
60⤵
PID:3404

C:\Users\Admin\AppData\Local\Temp\tmp240608421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240608421.exe
61⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4544

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
62⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\tmp240608734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240608734.exe
63⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\tmp240609203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240609203.exe
63⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\tmp240609546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240609546.exe
64⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\tmp240609703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240609703.exe
64⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\tmp240609921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240609921.exe
65⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\tmp240610062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610062.exe
65⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\tmp240608484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240608484.exe
61⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\tmp240608546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240608546.exe
62⤵
PID:4688

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
63⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\tmp240609140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240609140.exe
64⤵
- Modifies registry class
PID:3836

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
65⤵
PID:3304

C:\Users\Admin\AppData\Local\Temp\tmp240609531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240609531.exe
66⤵
PID:3348

C:\Users\Admin\AppData\Local\Temp\tmp240609687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240609687.exe
66⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\tmp240609937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240609937.exe
67⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\tmp240610046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610046.exe
67⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\tmp240610328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610328.exe
68⤵
PID:2504

C:\Users\Admin\AppData\Local\Temp\tmp240610250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610250.exe
68⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\tmp240609156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240609156.exe
64⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\tmp240609375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240609375.exe
65⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4424

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
66⤵
PID:756

C:\Users\Admin\AppData\Local\Temp\tmp240610109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610109.exe
67⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\tmp240610171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610171.exe
67⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\tmp240610343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610343.exe
68⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\tmp240610437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610437.exe
68⤵
PID:5080

C:\Users\Admin\AppData\Local\Temp\tmp240610500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610500.exe
69⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\tmp240610546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610546.exe
69⤵
PID:336

C:\Users\Admin\AppData\Local\Temp\tmp240609656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240609656.exe
65⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\tmp240609843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240609843.exe
66⤵
- Checks computer location settings
- Modifies registry class
PID:3276

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
67⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\tmp240610593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610593.exe
68⤵
PID:228

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
69⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\tmp240610984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610984.exe
70⤵
- Modifies registry class
PID:3692

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
71⤵
PID:3492

C:\Users\Admin\AppData\Local\Temp\tmp240611421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240611421.exe
72⤵
PID:1764

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
73⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\tmp240611765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240611765.exe
74⤵
- Checks computer location settings
PID:392

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
75⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\tmp240612312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240612312.exe
76⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\tmp240612515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240612515.exe
76⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\tmp240612625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240612625.exe
77⤵
- Drops file in System32 directory
PID:1288

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
78⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\tmp240613203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240613203.exe
79⤵
PID:2420

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
80⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\tmp240614203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614203.exe
81⤵
PID:3800

C:\Users\Admin\AppData\Local\Temp\tmp240614796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614796.exe
81⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\tmp240615062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615062.exe
82⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\tmp240615265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615265.exe
82⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\tmp240615437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615437.exe
83⤵
PID:3196

C:\Users\Admin\AppData\Local\Temp\tmp240615546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615546.exe
83⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\tmp240615843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615843.exe
84⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\tmp240616015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616015.exe
84⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\tmp240613890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240613890.exe
79⤵
PID:2316

C:\Users\Admin\AppData\Local\Temp\tmp240614140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614140.exe
80⤵
PID:2848

C:\Users\Admin\AppData\Local\Temp\tmp240614781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614781.exe
80⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\tmp240614875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614875.exe
81⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\tmp240615031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615031.exe
81⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\tmp240615156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615156.exe
82⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\tmp240615343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615343.exe
82⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\tmp240612937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240612937.exe
77⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\tmp240613281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240613281.exe
78⤵
PID:1420

C:\Users\Admin\AppData\Local\Temp\tmp240613515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240613515.exe
78⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\tmp240613625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240613625.exe
79⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\tmp240614109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614109.exe
79⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\tmp240615187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615187.exe
80⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\tmp240615406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615406.exe
80⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\tmp240615671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615671.exe
81⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\tmp240616062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616062.exe
81⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\tmp240616406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616406.exe
82⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\tmp240616515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616515.exe
82⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\tmp240612062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240612062.exe
74⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\tmp240612375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240612375.exe
75⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\tmp240612687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240612687.exe
75⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\tmp240613328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240613328.exe
76⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\tmp240613578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240613578.exe
76⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\tmp240614187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614187.exe
77⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\tmp240614593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614593.exe
77⤵
PID:3100

C:\Users\Admin\AppData\Local\Temp\tmp240611437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240611437.exe
72⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\tmp240611734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240611734.exe
73⤵
PID:2060

C:\Users\Admin\AppData\Local\Temp\tmp240612078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240612078.exe
73⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\tmp240612281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240612281.exe
74⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:1064

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
75⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\tmp240612843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240612843.exe
76⤵
- Checks computer location settings
PID:4340

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
77⤵
PID:936

C:\Users\Admin\AppData\Local\Temp\tmp240613593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240613593.exe
78⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\tmp240614109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614109.exe
78⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\tmp240614906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614906.exe
79⤵
- Drops file in System32 directory
PID:1172

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
80⤵
PID:2020

C:\Users\Admin\AppData\Local\Temp\tmp240615609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615609.exe
81⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\tmp240615984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615984.exe
81⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\tmp240616359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616359.exe
82⤵
- Modifies registry class
PID:3696

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
83⤵
PID:3716

C:\Users\Admin\AppData\Local\Temp\tmp240616796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616796.exe
84⤵
- Checks computer location settings
PID:4676

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
85⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\tmp240617109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617109.exe
86⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\tmp240617250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617250.exe
86⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\tmp240617343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617343.exe
87⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\tmp240617421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617421.exe
87⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\tmp240617578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617578.exe
88⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\tmp240617609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617609.exe
88⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\tmp240617765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617765.exe
89⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\tmp240617953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617953.exe
89⤵
PID:2080

C:\Users\Admin\AppData\Local\Temp\tmp240616828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616828.exe
84⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\tmp240617234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617234.exe
85⤵
PID:1424

C:\Users\Admin\AppData\Local\Temp\tmp240617328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617328.exe
85⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\tmp240617562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617562.exe
86⤵
PID:3076

C:\Users\Admin\AppData\Local\Temp\tmp240618015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618015.exe
87⤵
- Drops file in System32 directory
PID:1276

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
88⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\tmp240618390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618390.exe
89⤵
PID:1772

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
90⤵
PID:3572

C:\Users\Admin\AppData\Local\Temp\tmp240618843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618843.exe
91⤵
- Checks computer location settings
- Modifies registry class
PID:4952

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
92⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\tmp240619375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240619375.exe
93⤵
PID:4008

C:\Users\Admin\AppData\Local\Temp\tmp240619421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240619421.exe
93⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\tmp240619500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240619500.exe
94⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\tmp240619562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240619562.exe
94⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\tmp240619734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240619734.exe
95⤵
PID:3276

C:\Users\Admin\AppData\Local\Temp\tmp240619875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240619875.exe
95⤵
PID:3296

C:\Users\Admin\AppData\Local\Temp\tmp240619984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240619984.exe
96⤵
PID:1488

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
97⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\tmp240621343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240621343.exe
98⤵
PID:1056

C:\Users\Admin\AppData\Local\Temp\tmp240621437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240621437.exe
98⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\tmp240621640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240621640.exe
99⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\tmp240622234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622234.exe
99⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\tmp240622484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622484.exe
100⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\tmp240622750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622750.exe
100⤵
PID:3256

C:\Users\Admin\AppData\Local\Temp\tmp240622953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622953.exe
101⤵
PID:4316

C:\Users\Admin\AppData\Local\Temp\tmp240623015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623015.exe
101⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\tmp240621015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240621015.exe
96⤵
PID:3312

C:\Users\Admin\AppData\Local\Temp\tmp240618875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618875.exe
91⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\tmp240618968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618968.exe
92⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\tmp240619046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240619046.exe
92⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\tmp240619156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240619156.exe
93⤵
PID:2944

C:\Users\Admin\AppData\Local\Temp\tmp240619234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240619234.exe
93⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\tmp240619359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240619359.exe
94⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\tmp240619312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240619312.exe
94⤵
- Modifies registry class
PID:4760

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
95⤵
PID:336

C:\Users\Admin\AppData\Local\Temp\tmp240619656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240619656.exe
96⤵
- Modifies registry class
PID:1892

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
97⤵
PID:3468

C:\Users\Admin\AppData\Local\Temp\tmp240620203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240620203.exe
98⤵
PID:756

C:\Users\Admin\AppData\Local\Temp\tmp240620531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240620531.exe
98⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\tmp240621406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240621406.exe
99⤵
PID:4492

C:\Users\Admin\AppData\Local\Temp\tmp240621703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240621703.exe
99⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\tmp240622046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622046.exe
100⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\tmp240622062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622062.exe
100⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\tmp240622093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622093.exe
101⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\tmp240622125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622125.exe
101⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\tmp240619750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240619750.exe
96⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\tmp240620312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240620312.exe
97⤵
- Modifies registry class
PID:4796

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
98⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\tmp240620609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240620609.exe
99⤵
PID:5052

C:\Users\Admin\AppData\Local\Temp\tmp240621453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240621453.exe
99⤵
PID:3060

C:\Users\Admin\AppData\Local\Temp\tmp240622265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622265.exe
100⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\tmp240622578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622578.exe
100⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\tmp240622703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622703.exe
101⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\tmp240623093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623093.exe
101⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\tmp240623234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623234.exe
102⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\tmp240638625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638625.exe
103⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\tmp240623281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623281.exe
102⤵
PID:1240

C:\Users\Admin\AppData\Local\Temp\tmp240620359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240620359.exe
97⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\tmp240621046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240621046.exe
98⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\tmp240629265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240629265.exe
99⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\tmp240621328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240621328.exe
98⤵
PID:3672

C:\Users\Admin\AppData\Local\Temp\tmp240621390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240621390.exe
99⤵
PID:2232

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
100⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\tmp240621921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240621921.exe
101⤵
- Modifies registry class
PID:4676

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
102⤵
PID:624

C:\Users\Admin\AppData\Local\Temp\tmp240622296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622296.exe
103⤵
- Checks computer location settings
- Modifies registry class
PID:4264

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
104⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\tmp240623000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623000.exe
105⤵
- Drops file in System32 directory
PID:936

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
106⤵
PID:3172

C:\Users\Admin\AppData\Local\Temp\tmp240623625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623625.exe
107⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\tmp240623687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623687.exe
108⤵
PID:2412

C:\Users\Admin\AppData\Local\Temp\tmp240623765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623765.exe
109⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\tmp240623781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623781.exe
109⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\tmp240623859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623859.exe
110⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\tmp240623890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623890.exe
110⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\tmp240623671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623671.exe
108⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\tmp240623578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623578.exe
107⤵
PID:3348

C:\Users\Admin\AppData\Local\Temp\tmp240623062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623062.exe
105⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\tmp240623265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623265.exe
106⤵
PID:3800

C:\Users\Admin\AppData\Local\Temp\tmp240623343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623343.exe
106⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\tmp240623453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623453.exe
107⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\tmp240623531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623531.exe
107⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\tmp240623593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623593.exe
108⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4648

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
109⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\tmp240624078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240624078.exe
110⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:2504

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
111⤵
PID:3372

C:\Users\Admin\AppData\Local\Temp\tmp240624562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240624562.exe
112⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:1892

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
113⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\tmp240624953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240624953.exe
114⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:1488

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
115⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\tmp240625484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240625484.exe
116⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1424

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
117⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\tmp240625953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240625953.exe
118⤵
- Modifies registry class
PID:1328

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
119⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\tmp240626359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240626359.exe
120⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\tmp240626390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240626390.exe
120⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\tmp240626468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240626468.exe
121⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\tmp240626562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240626562.exe
121⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\tmp240626750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240626750.exe
122⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\tmp240626781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240626781.exe
122⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\tmp240626828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240626828.exe
123⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\tmp240626843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240626843.exe
123⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\tmp240626875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240626875.exe
124⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\tmp240626953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240626953.exe
124⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\tmp240627000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240627000.exe
125⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\tmp240627015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240627015.exe
125⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\tmp240625968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240625968.exe
118⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\tmp240626000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240626000.exe
119⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\tmp240626078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240626078.exe
119⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\tmp240626218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240626218.exe
120⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\tmp240626343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240626343.exe
120⤵
PID:4036

C:\Users\Admin\AppData\Local\Temp\tmp240626453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240626453.exe
121⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\tmp240626625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240626625.exe
121⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\tmp240626937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240626937.exe
122⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\tmp240627109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240627109.exe
122⤵
PID:1592

C:\Users\Admin\AppData\Local\Temp\tmp240627281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240627281.exe
123⤵
PID:2616

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
124⤵
PID:3836

C:\Users\Admin\AppData\Local\Temp\tmp240627562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240627562.exe
125⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\tmp240627640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240627640.exe
125⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\tmp240627828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240627828.exe
126⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\tmp240627875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240627875.exe
126⤵
PID:4448

C:\Users\Admin\AppData\Local\Temp\tmp240627953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240627953.exe
127⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\tmp240627984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240627984.exe
127⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\tmp240628062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240628062.exe
128⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\tmp240628109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240628109.exe
128⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\tmp240628187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240628187.exe
129⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\tmp240628218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240628218.exe
129⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\tmp240628359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240628359.exe
130⤵
PID:3372

C:\Users\Admin\AppData\Local\Temp\tmp240628390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240628390.exe
130⤵
PID:336

C:\Users\Admin\AppData\Local\Temp\tmp240627296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240627296.exe
123⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\tmp240625578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240625578.exe
116⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\tmp240625640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240625640.exe
117⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\tmp240625687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240625687.exe
117⤵
PID:3884

C:\Users\Admin\AppData\Local\Temp\tmp240625718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240625718.exe
118⤵
PID:1404

C:\Users\Admin\AppData\Local\Temp\tmp240626031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240626031.exe
118⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\tmp240626109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240626109.exe
119⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\tmp240626156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240626156.exe
119⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\tmp240626265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240626265.exe
120⤵
PID:3608

C:\Users\Admin\AppData\Local\Temp\tmp240626281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240626281.exe
120⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\tmp240626406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240626406.exe
121⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2940

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
122⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\tmp240626968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240626968.exe
123⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\tmp240627046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240627046.exe
123⤵
PID:840

C:\Users\Admin\AppData\Local\Temp\tmp240627359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240627359.exe
124⤵
PID:1444

C:\Users\Admin\AppData\Local\Temp\tmp240627453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240627453.exe
124⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\tmp240627515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240627515.exe
125⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2416

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
126⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\tmp240628046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240628046.exe
127⤵
- Drops file in System32 directory
PID:3088

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
128⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\tmp240628546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240628546.exe
129⤵
PID:4244

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
130⤵
PID:3580

C:\Users\Admin\AppData\Local\Temp\tmp240628843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240628843.exe
131⤵
- Checks computer location settings
PID:928

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
132⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\tmp240629531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240629531.exe
133⤵
PID:3884

C:\Users\Admin\AppData\Local\Temp\tmp240629718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240629718.exe
134⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\tmp240629828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240629828.exe
134⤵
PID:1348

C:\Users\Admin\AppData\Local\Temp\tmp240629890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240629890.exe
135⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\tmp240630000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630000.exe
135⤵
PID:5032

C:\Users\Admin\AppData\Local\Temp\tmp240630078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630078.exe
136⤵
- Drops file in System32 directory
- Modifies registry class
PID:1740

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
137⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\tmp240630640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630640.exe
138⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\tmp240630671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630671.exe
138⤵
PID:3292

C:\Users\Admin\AppData\Local\Temp\tmp240630781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630781.exe
139⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\tmp240630812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630812.exe
139⤵
PID:3404

C:\Users\Admin\AppData\Local\Temp\tmp240630890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630890.exe
140⤵
PID:3572

C:\Users\Admin\AppData\Local\Temp\tmp240630921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630921.exe
140⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\tmp240631203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240631203.exe
141⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\tmp240631250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240631250.exe
141⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\tmp240631500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240631500.exe
142⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\tmp240631671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240631671.exe
142⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\tmp240631796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240631796.exe
143⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\tmp240631859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240631859.exe
143⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\tmp240630156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630156.exe
136⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\tmp240630218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630218.exe
137⤵
PID:2148

C:\Users\Admin\AppData\Local\Temp\tmp240630312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630312.exe
137⤵
PID:856

C:\Users\Admin\AppData\Local\Temp\tmp240630375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630375.exe
138⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\tmp240630406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630406.exe
138⤵
PID:3784

C:\Users\Admin\AppData\Local\Temp\tmp240628859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240628859.exe
131⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\tmp240628937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240628937.exe
132⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\tmp240628984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240628984.exe
132⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\tmp240629125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240629125.exe
133⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\tmp240629203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240629203.exe
134⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\tmp240629343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240629343.exe
134⤵
PID:2960

C:\Users\Admin\AppData\Local\Temp\tmp240629593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240629593.exe
135⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\tmp240629765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240629765.exe
135⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\tmp240629953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240629953.exe
136⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\tmp240629984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240629984.exe
136⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\tmp240629109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240629109.exe
133⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\tmp240628562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240628562.exe
129⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\tmp240629156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240629156.exe
130⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\tmp240629187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240629187.exe
130⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\tmp240629296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240629296.exe
131⤵
PID:1708

C:\Users\Admin\AppData\Local\Temp\tmp240629421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240629421.exe
132⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\tmp240628140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240628140.exe
127⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\tmp240628265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240628265.exe
128⤵
PID:4436

C:\Users\Admin\AppData\Local\Temp\tmp240628296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240628296.exe
128⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\tmp240628375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240628375.exe
129⤵
PID:3312

C:\Users\Admin\AppData\Local\Temp\tmp240628765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240628765.exe
129⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\tmp240629140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240629140.exe
130⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\tmp240629250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240629250.exe
130⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\tmp240629453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240629453.exe
131⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\tmp240629546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240629546.exe
132⤵
- Modifies registry class
PID:1404

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
133⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\tmp240630187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630187.exe
134⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\tmp240630265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630265.exe
135⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\tmp240630359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630359.exe
135⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\tmp240630421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630421.exe
136⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\tmp240630453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630453.exe
136⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\tmp240630562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630562.exe
137⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\tmp240630609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630609.exe
138⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\tmp240630718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630718.exe
139⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\tmp240630687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630687.exe
139⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\tmp240638609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638609.exe
140⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\tmp240638640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638640.exe
140⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\tmp240630593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630593.exe
138⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\tmp240630546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630546.exe
137⤵
- Checks computer location settings
PID:4544

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
138⤵
- Checks computer location settings
- Modifies registry class
PID:2616

C:\Users\Admin\AppData\Local\Temp\tmp240631015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240631015.exe
139⤵
- Checks computer location settings
PID:936

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
140⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\tmp240631578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240631578.exe
141⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\tmp240631640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240631640.exe
141⤵
PID:4640

C:\Users\Admin\AppData\Local\Temp\tmp240631734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240631734.exe
142⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\tmp240631781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240631781.exe
142⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\tmp240631968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240631968.exe
143⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\tmp240632000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632000.exe
143⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\tmp240632078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632078.exe
144⤵
PID:3296

C:\Users\Admin\AppData\Local\Temp\tmp240632093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632093.exe
144⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\tmp240632156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632156.exe
145⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\tmp240632218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632218.exe
145⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\tmp240632328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632328.exe
146⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\tmp240631109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240631109.exe
139⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\tmp240631218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240631218.exe
140⤵
PID:3288

C:\Users\Admin\AppData\Local\Temp\tmp240631546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240631546.exe
140⤵
PID:3548

C:\Users\Admin\AppData\Local\Temp\tmp240631609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240631609.exe
141⤵
- Drops file in System32 directory
PID:760

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
142⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\tmp240632343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632343.exe
143⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4244

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
144⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\tmp240632812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632812.exe
145⤵
- Modifies registry class
PID:3728

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
146⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\tmp240633281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240633281.exe
147⤵
- Drops file in System32 directory
PID:2280

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
148⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\tmp240633812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240633812.exe
149⤵
- Checks computer location settings
PID:2148

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
150⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\tmp240634203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634203.exe
151⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\tmp240634265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634265.exe
152⤵
PID:3616

C:\Users\Admin\AppData\Local\Temp\tmp240634296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634296.exe
152⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\tmp240634437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634437.exe
153⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\tmp240634484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634484.exe
153⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\tmp240634546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634546.exe
154⤵
PID:3404

C:\Users\Admin\AppData\Local\Temp\tmp240634562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634562.exe
154⤵
PID:4924

C:\Users\Admin\AppData\Local\Temp\tmp240634625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634625.exe
155⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\tmp240634671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634671.exe
156⤵
PID:1848

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
157⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\tmp240635421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635421.exe
158⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\tmp240635484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635484.exe
159⤵
PID:4184

C:\Users\Admin\AppData\Local\Temp\tmp240635625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635625.exe
159⤵
PID:4008

C:\Users\Admin\AppData\Local\Temp\tmp240635703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635703.exe
160⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\tmp240635750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635750.exe
160⤵
PID:3636

C:\Users\Admin\AppData\Local\Temp\tmp240635812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635812.exe
161⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\tmp240635828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635828.exe
161⤵
PID:4672

C:\Users\Admin\AppData\Local\Temp\tmp240635906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635906.exe
162⤵
- Checks computer location settings
PID:4492

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
163⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\tmp240637109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240637109.exe
164⤵
- Modifies registry class
PID:1064

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
165⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\tmp240638109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638109.exe
166⤵
- Checks computer location settings
- Modifies registry class
PID:856

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
167⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\tmp240638703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638703.exe
168⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\tmp240638781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638781.exe
169⤵
PID:1240

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
170⤵
PID:5080

C:\Users\Admin\AppData\Local\Temp\tmp240639515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639515.exe
171⤵
PID:1532

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
172⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\tmp240640015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640015.exe
173⤵
PID:4528

C:\Users\Admin\AppData\Local\Temp\tmp240640062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640062.exe
174⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\tmp240640171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640171.exe
174⤵
- Drops file in System32 directory
- Modifies registry class
PID:2192

C:\Users\Admin\AppData\Local\Temp\tmp240640359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640359.exe
175⤵
PID:392

C:\Users\Admin\AppData\Local\Temp\tmp240640375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640375.exe
175⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\tmp240640468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640468.exe
176⤵
PID:3788

C:\Users\Admin\AppData\Local\Temp\tmp240640546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640546.exe
176⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\tmp240640625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640625.exe
177⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\tmp240640640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640640.exe
177⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\tmp240640750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640750.exe
178⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2228

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
179⤵
PID:4396

C:\Users\Admin\AppData\Local\Temp\tmp240641453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641453.exe
180⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\tmp240641546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641546.exe
181⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\tmp240641578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641578.exe
181⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\tmp240641718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641718.exe
182⤵
PID:1544

C:\Users\Admin\AppData\Local\Temp\tmp240641750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641750.exe
182⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\tmp240641828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641828.exe
183⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\tmp240641875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641875.exe
183⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\tmp240641968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641968.exe
184⤵
PID:2780

C:\Users\Admin\AppData\Local\Temp\tmp240642015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642015.exe
184⤵
PID:3800

C:\Users\Admin\AppData\Local\Temp\tmp240642156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642156.exe
185⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\tmp240642203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642203.exe
185⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\tmp240642281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642281.exe
186⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\tmp240642328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642328.exe
186⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\tmp240642437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642437.exe
187⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\tmp240642515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642515.exe
187⤵
PID:3404

C:\Users\Admin\AppData\Local\Temp\tmp240642609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642609.exe
188⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\tmp240642734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642734.exe
188⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\tmp240642828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642828.exe
189⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\tmp240642875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642875.exe
189⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\tmp240641421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641421.exe
180⤵
- Checks computer location settings
- Modifies registry class
PID:4284

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
181⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\tmp240642031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642031.exe
182⤵
PID:4188

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
183⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\tmp240642843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642843.exe
184⤵
PID:3288

C:\Users\Admin\AppData\Local\Temp\tmp240642921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642921.exe
184⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\tmp240643218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240643218.exe
185⤵
PID:3348

C:\Users\Admin\AppData\Local\Temp\tmp240643312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240643312.exe
186⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\tmp240645203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645203.exe
186⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\tmp240645265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645265.exe
187⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\tmp240645546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645546.exe
187⤵
PID:4008

C:\Users\Admin\AppData\Local\Temp\tmp240645656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645656.exe
188⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\tmp240645687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645687.exe
188⤵
PID:4072

C:\Users\Admin\AppData\Local\Temp\tmp240645828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645828.exe
189⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\tmp240645890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645890.exe
189⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\tmp240645953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645953.exe
190⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\tmp240645984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645984.exe
190⤵
PID:928

C:\Users\Admin\AppData\Local\Temp\tmp240646093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646093.exe
191⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\tmp240646140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646140.exe
191⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\tmp240646390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646390.exe
192⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\tmp240646578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646578.exe
192⤵
PID:624

C:\Users\Admin\AppData\Local\Temp\tmp240646796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646796.exe
193⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\tmp240646859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646859.exe
193⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\tmp240642062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642062.exe
182⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\tmp240642171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642171.exe
183⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\tmp240642234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642234.exe
183⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\tmp240642296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642296.exe
184⤵
PID:2944

C:\Users\Admin\AppData\Local\Temp\tmp240642343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642343.exe
184⤵
PID:3512

C:\Users\Admin\AppData\Local\Temp\tmp240642453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642453.exe
185⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\tmp240642500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642500.exe
185⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\tmp240642593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642593.exe
186⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\tmp240642656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642656.exe
186⤵
PID:4168

C:\Users\Admin\AppData\Local\Temp\tmp240642765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642765.exe
187⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4448

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
188⤵
PID:756

C:\Users\Admin\AppData\Local\Temp\tmp240645281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645281.exe
189⤵
- Checks computer location settings
PID:3236

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
190⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\tmp240645875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645875.exe
191⤵
PID:1488

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
192⤵
PID:3208

C:\Users\Admin\AppData\Local\Temp\tmp240646718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646718.exe
193⤵
PID:540

C:\Users\Admin\AppData\Local\Temp\tmp240646781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646781.exe
193⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\tmp240646984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646984.exe
194⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\tmp240647265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240647265.exe
194⤵
PID:4452

C:\Users\Admin\AppData\Local\Temp\tmp240647421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240647421.exe
195⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\tmp240647578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240647578.exe
196⤵
PID:4160

C:\Users\Admin\AppData\Local\Temp\tmp240647812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240647812.exe
197⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\tmp240648296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648296.exe
198⤵
PID:652

C:\Users\Admin\AppData\Local\Temp\tmp240648437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648437.exe
198⤵
PID:1816

C:\Users\Admin\AppData\Local\Temp\tmp240648531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648531.exe
199⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\tmp240648640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648640.exe
199⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\tmp240648875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648875.exe
200⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\tmp240649140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649140.exe
201⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\tmp240649203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649203.exe
201⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\tmp240649812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649812.exe
202⤵
PID:2576

C:\Users\Admin\AppData\Local\Temp\tmp240648843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648843.exe
200⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\tmp240647750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240647750.exe
197⤵
- Drops file in System32 directory
- Modifies registry class
PID:2216

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
198⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\tmp240649218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649218.exe
199⤵
PID:4528

C:\Users\Admin\AppData\Local\Temp\tmp240649578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649578.exe
200⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\tmp240649703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649703.exe
201⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\tmp240649750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649750.exe
201⤵
PID:3696

C:\Users\Admin\AppData\Local\Temp\tmp240650125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650125.exe
202⤵
PID:4316

C:\Users\Admin\AppData\Local\Temp\tmp240650203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650203.exe
203⤵
PID:3132

C:\Users\Admin\AppData\Local\Temp\tmp240650359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650359.exe
203⤵
PID:372

C:\Users\Admin\AppData\Local\Temp\tmp240650453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650453.exe
204⤵
PID:2148

C:\Users\Admin\AppData\Local\Temp\tmp240650500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650500.exe
204⤵
PID:3884

C:\Users\Admin\AppData\Local\Temp\tmp240650625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650625.exe
205⤵
PID:1216

C:\Users\Admin\AppData\Local\Temp\tmp240650671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650671.exe
205⤵
PID:3008

C:\Users\Admin\AppData\Local\Temp\tmp240650718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650718.exe
206⤵
PID:1424

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
207⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\tmp240651171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651171.exe
208⤵
PID:2236

C:\Users\Admin\AppData\Local\Temp\tmp240651250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651250.exe
209⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\tmp240651265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651265.exe
209⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\tmp240651468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651468.exe
210⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\tmp240651500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651500.exe
210⤵
PID:1388

C:\Users\Admin\AppData\Local\Temp\tmp240651562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651562.exe
211⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\tmp240651640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651640.exe
211⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\tmp240651734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651734.exe
212⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\tmp240651921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651921.exe
212⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\tmp240652031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652031.exe
213⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\tmp240652093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652093.exe
213⤵
PID:4252

C:\Users\Admin\AppData\Local\Temp\tmp240652265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652265.exe
214⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\tmp240652390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652390.exe
214⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\tmp240651156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651156.exe
208⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\tmp240650781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650781.exe
206⤵
PID:4020

C:\Users\Admin\AppData\Local\Temp\tmp240650812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650812.exe
207⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\tmp240650875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650875.exe
207⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\tmp240650968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650968.exe
208⤵
PID:4036

C:\Users\Admin\AppData\Local\Temp\tmp240651000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651000.exe
208⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\tmp240649921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649921.exe
202⤵
PID:3576

C:\Users\Admin\AppData\Local\Temp\tmp240647515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240647515.exe
196⤵
PID:3800

C:\Users\Admin\AppData\Local\Temp\tmp240647343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240647343.exe
195⤵
PID:3048

C:\Users\Admin\AppData\Local\Temp\tmp240646000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646000.exe
191⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\tmp240646296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646296.exe
192⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\tmp240646406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646406.exe
192⤵
PID:608

C:\Users\Admin\AppData\Local\Temp\tmp240646593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646593.exe
193⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\tmp240646687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646687.exe
194⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:1404

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
195⤵
PID:3292

C:\Users\Admin\AppData\Local\Temp\tmp240647625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240647625.exe
196⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\tmp240647796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240647796.exe
197⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\tmp240648406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648406.exe
198⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\tmp240648656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648656.exe
198⤵
PID:4948

C:\Users\Admin\AppData\Local\Temp\tmp240647781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240647781.exe
197⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\tmp240647484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240647484.exe
196⤵
PID:3164

C:\Users\Admin\AppData\Local\Temp\tmp240646750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646750.exe
194⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\tmp240647062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240647062.exe
195⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\tmp240647125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240647125.exe
195⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\tmp240647218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240647218.exe
196⤵
PID:3480

C:\Users\Admin\AppData\Local\Temp\tmp240647312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240647312.exe
196⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\tmp240647453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240647453.exe
197⤵
- Modifies registry class
PID:712

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
198⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\tmp240648171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648171.exe
199⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\tmp240648312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648312.exe
199⤵
PID:4252

C:\Users\Admin\AppData\Local\Temp\tmp240648421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648421.exe
200⤵
PID:3548

C:\Users\Admin\AppData\Local\Temp\tmp240648578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648578.exe
200⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\tmp240648687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648687.exe
201⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\tmp240648859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648859.exe
201⤵
PID:1892

C:\Users\Admin\AppData\Local\Temp\tmp240648984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648984.exe
202⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\tmp240649000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649000.exe
202⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\tmp240649234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649234.exe
203⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\tmp240649390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649390.exe
204⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\tmp240649484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649484.exe
204⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\tmp240649671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649671.exe
205⤵
PID:1952

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
206⤵
PID:4488

C:\Users\Admin\AppData\Local\Temp\tmp240650750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650750.exe
207⤵
PID:3828

C:\Users\Admin\AppData\Local\Temp\tmp240650859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650859.exe
207⤵
PID:1064

C:\Users\Admin\AppData\Local\Temp\tmp240650921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650921.exe
208⤵
PID:1560

C:\Users\Admin\AppData\Local\Temp\tmp240651031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651031.exe
208⤵
PID:4620

C:\Users\Admin\AppData\Local\Temp\tmp240651078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651078.exe
209⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\tmp240651125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651125.exe
209⤵
PID:3984

C:\Users\Admin\AppData\Local\Temp\tmp240651218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651218.exe
210⤵
- Drops file in System32 directory
PID:5020

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
211⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\tmp240651812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651812.exe
212⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\tmp240651875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651875.exe
212⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\tmp240652046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652046.exe
213⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\tmp240652125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652125.exe
213⤵
PID:1844

C:\Users\Admin\AppData\Local\Temp\tmp240652250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652250.exe
214⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\tmp240652296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652296.exe
214⤵
PID:3720

C:\Users\Admin\AppData\Local\Temp\tmp240651296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651296.exe
210⤵
PID:2944

C:\Users\Admin\AppData\Local\Temp\tmp240651453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651453.exe
211⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\tmp240651484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651484.exe
211⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\tmp240651609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651609.exe
212⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\tmp240651718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651718.exe
213⤵
PID:3304

C:\Users\Admin\AppData\Local\Temp\tmp240651781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651781.exe
213⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\tmp240651937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651937.exe
214⤵
PID:5004

C:\Users\Admin\AppData\Local\Temp\tmp240652015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652015.exe
215⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\tmp240652062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652062.exe
215⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\tmp240652234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652234.exe
216⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\tmp240652406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652406.exe
216⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\tmp240652500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652500.exe
217⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\tmp240651890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651890.exe
214⤵
PID:2836

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
215⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\tmp240652703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652703.exe
216⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\tmp240652796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652796.exe
217⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\tmp240651546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651546.exe
212⤵
PID:4404

C:\Users\Admin\AppData\Local\Temp\tmp240649765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649765.exe
205⤵
PID:4712

C:\Users\Admin\AppData\Local\Temp\tmp240647500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240647500.exe
197⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\tmp240647687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240647687.exe
198⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\tmp240647718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240647718.exe
198⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\tmp240648343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648343.exe
199⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\tmp240648484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648484.exe
199⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\tmp240648609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648609.exe
200⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\tmp240648718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648718.exe
200⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\tmp240646562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646562.exe
193⤵
PID:3608

C:\Users\Admin\AppData\Local\Temp\tmp240645296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645296.exe
189⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\tmp240645515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645515.exe
190⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\tmp240652687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652687.exe
191⤵
- Modifies registry class
PID:4024

C:\Users\Admin\AppData\Local\Temp\tmp240645562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645562.exe
190⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\tmp240645640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645640.exe
191⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\tmp240645859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645859.exe
191⤵
PID:4476

C:\Users\Admin\AppData\Local\Temp\tmp240645906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645906.exe
192⤵
PID:1508

C:\Users\Admin\AppData\Local\Temp\tmp240645968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645968.exe
192⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\tmp240646078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646078.exe
193⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\tmp240646203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646203.exe
193⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\tmp240646343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646343.exe
194⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\tmp240646359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646359.exe
194⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\tmp240646515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646515.exe
195⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\tmp240646531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646531.exe
195⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\tmp240646625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646625.exe
196⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\tmp240646703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646703.exe
196⤵
PID:2332

C:\Users\Admin\AppData\Local\Temp\tmp240646828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646828.exe
197⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\tmp240646953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646953.exe
197⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\tmp240647328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240647328.exe
198⤵
PID:428

C:\Users\Admin\AppData\Local\Temp\tmp240647281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240647281.exe
198⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\tmp240642781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642781.exe
187⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\tmp240642953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642953.exe
188⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\tmp240643046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240643046.exe
189⤵
- Drops file in System32 directory
- Modifies registry class
PID:1240

C:\Users\Admin\AppData\Local\Temp\tmp240643078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240643078.exe
189⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\tmp240643156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240643156.exe
190⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\tmp240648890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648890.exe
191⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\tmp240643187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240643187.exe
190⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\tmp240643281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240643281.exe
191⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\tmp240645218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645218.exe
191⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\tmp240642859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642859.exe
188⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\tmp240640765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640765.exe
178⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\tmp240640953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640953.exe
179⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\tmp240640984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640984.exe
179⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\tmp240641093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641093.exe
180⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\tmp240641140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641140.exe
180⤵
PID:1680

C:\Users\Admin\AppData\Local\Temp\tmp240641218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641218.exe
181⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\tmp240641250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641250.exe
181⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\tmp240649406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649406.exe
174⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\tmp240640000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640000.exe
173⤵
- Checks computer location settings
PID:4828

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
174⤵
PID:3988

C:\Users\Admin\AppData\Local\Temp\tmp240640703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640703.exe
175⤵
PID:3732

C:\Users\Admin\AppData\Local\Temp\tmp240640718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640718.exe
175⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\tmp240640828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640828.exe
176⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\tmp240640921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640921.exe
177⤵
PID:1400

C:\Users\Admin\AppData\Local\Temp\tmp240641015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641015.exe
177⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\tmp240641078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641078.exe
178⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\tmp240641125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641125.exe
178⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\tmp240641203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641203.exe
179⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\tmp240641328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641328.exe
179⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\tmp240641437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641437.exe
180⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\tmp240641531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641531.exe
180⤵
PID:4488

C:\Users\Admin\AppData\Local\Temp\tmp240641609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641609.exe
181⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\tmp240641671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641671.exe
181⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\tmp240641796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641796.exe
182⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\tmp240641890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641890.exe
183⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\tmp240641937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641937.exe
183⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\tmp240641781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641781.exe
182⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\tmp240640812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640812.exe
176⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\tmp240639531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639531.exe
171⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\tmp240639625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639625.exe
172⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\tmp240639703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639703.exe
173⤵
- Checks computer location settings
- Modifies registry class
PID:1848

C:\Users\Admin\AppData\Local\Temp\tmp240639765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639765.exe
173⤵
PID:756

C:\Users\Admin\AppData\Local\Temp\tmp240639828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639828.exe
174⤵
PID:1892

C:\Users\Admin\AppData\Local\Temp\tmp240639843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639843.exe
174⤵
PID:1764

C:\Users\Admin\AppData\Local\Temp\tmp240639906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639906.exe
175⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\tmp240639953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639953.exe
175⤵
PID:760

C:\Users\Admin\AppData\Local\Temp\tmp240640046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640046.exe
176⤵
PID:2924

C:\Users\Admin\AppData\Local\Temp\tmp240640078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640078.exe
176⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\tmp240640203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640203.exe
177⤵
PID:3696

C:\Users\Admin\AppData\Local\Temp\tmp240640234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640234.exe
177⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\tmp240640296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640296.exe
178⤵
PID:4712

C:\Users\Admin\AppData\Local\Temp\tmp240650078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650078.exe
179⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\tmp240650296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650296.exe
180⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\tmp240650421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650421.exe
181⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\tmp240650468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650468.exe
181⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\tmp240650265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650265.exe
180⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\tmp240650015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650015.exe
179⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\tmp240640328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640328.exe
178⤵
PID:1968

C:\Users\Admin\AppData\Local\Temp\tmp240640421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640421.exe
179⤵
PID:3640

C:\Users\Admin\AppData\Local\Temp\tmp240640453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640453.exe
179⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\tmp240639593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639593.exe
172⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\tmp240638796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638796.exe
169⤵
PID:1572

C:\Users\Admin\AppData\Local\Temp\tmp240638921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638921.exe
170⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\tmp240638953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638953.exe
170⤵
PID:5004

C:\Users\Admin\AppData\Local\Temp\tmp240639140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639140.exe
171⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\tmp240639218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639218.exe
172⤵
PID:1068

C:\Users\Admin\AppData\Local\Temp\tmp240639234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639234.exe
172⤵
PID:4948

C:\Users\Admin\AppData\Local\Temp\tmp240639328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639328.exe
173⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\tmp240639468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639468.exe
174⤵
PID:2416

C:\Users\Admin\AppData\Local\Temp\tmp240639546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639546.exe
175⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\tmp240652656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652656.exe
176⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\tmp240639640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639640.exe
175⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\tmp240639453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639453.exe
174⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\tmp240639296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639296.exe
173⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\tmp240652515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652515.exe
174⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\tmp240652734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652734.exe
175⤵
PID:3588

C:\Users\Admin\AppData\Local\Temp\tmp240652484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652484.exe
174⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\tmp240648781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648781.exe
173⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\tmp240649015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649015.exe
174⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\tmp240649156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649156.exe
175⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\tmp240649421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649421.exe
175⤵
PID:4828

C:\Users\Admin\AppData\Local\Temp\tmp240649687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649687.exe
176⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\tmp240649718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649718.exe
176⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\tmp240650031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650031.exe
177⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\tmp240650218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650218.exe
178⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\tmp240650312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650312.exe
179⤵
PID:3716

C:\Users\Admin\AppData\Local\Temp\tmp240650437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650437.exe
179⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\tmp240650187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650187.exe
178⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\tmp240649906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649906.exe
177⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\tmp240648750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648750.exe
173⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\tmp240639125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639125.exe
171⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\tmp240638265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638265.exe
166⤵
PID:1740

C:\Users\Admin\AppData\Local\Temp\tmp240638312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638312.exe
167⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\tmp240638328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638328.exe
167⤵
PID:428

C:\Users\Admin\AppData\Local\Temp\tmp240638421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638421.exe
168⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\tmp240638453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638453.exe
168⤵
PID:2596

C:\Users\Admin\AppData\Local\Temp\tmp240638593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638593.exe
169⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\tmp240638656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638656.exe
169⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\tmp240638828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638828.exe
170⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\tmp240638859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638859.exe
170⤵
PID:3572

C:\Users\Admin\AppData\Local\Temp\tmp240638968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638968.exe
171⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\tmp240639046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639046.exe
171⤵
PID:2380

C:\Users\Admin\AppData\Local\Temp\tmp240639171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639171.exe
172⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\tmp240639203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639203.exe
172⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\tmp240639250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639250.exe
173⤵
PID:3548

C:\Users\Admin\AppData\Local\Temp\tmp240639281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639281.exe
173⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\tmp240637562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240637562.exe
164⤵
PID:1028

C:\Users\Admin\AppData\Local\Temp\tmp240637765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240637765.exe
165⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\tmp240637796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240637796.exe
165⤵
PID:1872

C:\Users\Admin\AppData\Local\Temp\tmp240637921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240637921.exe
166⤵
PID:2860

C:\Users\Admin\AppData\Local\Temp\tmp240637968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240637968.exe
166⤵
PID:3644

C:\Users\Admin\AppData\Local\Temp\tmp240638078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638078.exe
167⤵
PID:2460

C:\Users\Admin\AppData\Local\Temp\tmp240638140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638140.exe
168⤵
PID:1540

C:\Users\Admin\AppData\Local\Temp\tmp240638171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638171.exe
168⤵
PID:4944

C:\Users\Admin\AppData\Local\Temp\tmp240638234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638234.exe
169⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\tmp240638359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638359.exe
169⤵
PID:4040

C:\Users\Admin\AppData\Local\Temp\tmp240638437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638437.exe
170⤵
PID:5020

C:\Users\Admin\AppData\Local\Temp\tmp240638484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638484.exe
170⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\tmp240638046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240638046.exe
167⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\tmp240635921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635921.exe
162⤵
PID:3468

C:\Users\Admin\AppData\Local\Temp\tmp240635984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635984.exe
163⤵
PID:4892

C:\Users\Admin\AppData\Local\Temp\tmp240636156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240636156.exe
163⤵
PID:656

C:\Users\Admin\AppData\Local\Temp\tmp240636203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240636203.exe
164⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\tmp240636218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240636218.exe
164⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\tmp240636312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240636312.exe
165⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\tmp240636359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240636359.exe
165⤵
PID:3716

C:\Users\Admin\AppData\Local\Temp\tmp240635406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635406.exe
158⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\tmp240634687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634687.exe
156⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\tmp240634734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634734.exe
157⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\tmp240634781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634781.exe
157⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\tmp240634906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634906.exe
158⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\tmp240634953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634953.exe
158⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\tmp240634609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634609.exe
155⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\tmp240634171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634171.exe
151⤵
- Modifies registry class
PID:1996

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
152⤵
PID:3396

C:\Users\Admin\AppData\Local\Temp\tmp240634703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634703.exe
153⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\tmp240634718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634718.exe
153⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\tmp240634828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634828.exe
154⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\tmp240634937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634937.exe
154⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\tmp240635031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635031.exe
155⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\tmp240635062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635062.exe
155⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\tmp240635125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635125.exe
156⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\tmp240635156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635156.exe
156⤵
PID:8

C:\Users\Admin\AppData\Local\Temp\tmp240635218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635218.exe
157⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\tmp240635234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635234.exe
157⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\tmp240635328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635328.exe
158⤵
PID:336

C:\Users\Admin\AppData\Local\Temp\tmp240635343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635343.exe
158⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\tmp240635437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635437.exe
159⤵
PID:2192

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
160⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\tmp240635937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635937.exe
161⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\tmp240649328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649328.exe
162⤵
PID:4008

C:\Users\Admin\AppData\Local\Temp\tmp240635953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635953.exe
161⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\tmp240636062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240636062.exe
162⤵
PID:392

C:\Users\Admin\AppData\Local\Temp\tmp240636109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240636109.exe
162⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\tmp240636250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240636250.exe
163⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\tmp240636265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240636265.exe
163⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\tmp240636328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240636328.exe
164⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\tmp240636437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240636437.exe
164⤵
PID:4192

C:\Users\Admin\AppData\Local\Temp\tmp240636515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240636515.exe
165⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\tmp240637515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240637515.exe
165⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\tmp240637593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240637593.exe
166⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\tmp240637640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240637640.exe
166⤵
PID:2444

C:\Users\Admin\AppData\Local\Temp\tmp240637687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240637687.exe
167⤵
PID:1288

C:\Users\Admin\AppData\Local\Temp\tmp240637734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240637734.exe
167⤵
PID:4264

C:\Users\Admin\AppData\Local\Temp\tmp240637781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240637781.exe
168⤵
PID:4396

C:\Users\Admin\AppData\Local\Temp\tmp240637906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240637906.exe
168⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\tmp240635453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635453.exe
159⤵
PID:1772

C:\Users\Admin\AppData\Local\Temp\tmp240635515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635515.exe
160⤵
PID:2504

C:\Users\Admin\AppData\Local\Temp\tmp240635578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635578.exe
160⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\tmp240633828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240633828.exe
149⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\tmp240633875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240633875.exe
150⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\tmp240633906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240633906.exe
150⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\tmp240633968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240633968.exe
151⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\tmp240633984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240633984.exe
151⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\tmp240634046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634046.exe
152⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\tmp240634062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634062.exe
152⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\tmp240634109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634109.exe
153⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\tmp240634140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634140.exe
153⤵
PID:3800

C:\Users\Admin\AppData\Local\Temp\tmp240634187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634187.exe
154⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\tmp240634250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634250.exe
154⤵
PID:2500

C:\Users\Admin\AppData\Local\Temp\tmp240634312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634312.exe
155⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\tmp240634375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634375.exe
155⤵
PID:4376

C:\Users\Admin\AppData\Local\Temp\tmp240633296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240633296.exe
147⤵
PID:4500

C:\Users\Admin\AppData\Local\Temp\tmp240633328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240633328.exe
148⤵
PID:1288

C:\Users\Admin\AppData\Local\Temp\tmp240633390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240633390.exe
148⤵
PID:3132

C:\Users\Admin\AppData\Local\Temp\tmp240633468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240633468.exe
149⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\tmp240633593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240633593.exe
149⤵
PID:2332

C:\Users\Admin\AppData\Local\Temp\tmp240632843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632843.exe
145⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\tmp240632937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632937.exe
146⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\tmp240633031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240633031.exe
146⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\tmp240633078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240633078.exe
147⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\tmp240633125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240633125.exe
147⤵
PID:1064

C:\Users\Admin\AppData\Local\Temp\tmp240633171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240633171.exe
148⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\tmp240633187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240633187.exe
148⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\tmp240633250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240633250.exe
149⤵
PID:1392

C:\Users\Admin\AppData\Local\Temp\tmp240633421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240633421.exe
149⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\tmp240633546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240633546.exe
150⤵
PID:4536

C:\Users\Admin\AppData\Local\Temp\tmp240633593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240633593.exe
150⤵
PID:900

C:\Users\Admin\AppData\Local\Temp\tmp240632453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632453.exe
143⤵
PID:1956

C:\Users\Admin\AppData\Local\Temp\tmp240632593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632593.exe
144⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\tmp240632625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632625.exe
144⤵
PID:3872

C:\Users\Admin\AppData\Local\Temp\tmp240632687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632687.exe
145⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\tmp240632703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632703.exe
145⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\tmp240632734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632734.exe
146⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\tmp240632765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632765.exe
146⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\tmp240632828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632828.exe
147⤵
PID:872

C:\Users\Admin\AppData\Local\Temp\tmp240632890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632890.exe
147⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\tmp240632984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632984.exe
148⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\tmp240633000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240633000.exe
148⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\tmp240631625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240631625.exe
141⤵
PID:1120

C:\Users\Admin\AppData\Local\Temp\tmp240631718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240631718.exe
142⤵
PID:720

C:\Users\Admin\AppData\Local\Temp\tmp240631843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240631843.exe
142⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\tmp240632109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632109.exe
143⤵
PID:2192

C:\Users\Admin\AppData\Local\Temp\tmp240632203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632203.exe
143⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\tmp240632296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632296.exe
144⤵
PID:2100

C:\Users\Admin\AppData\Local\Temp\tmp240632359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632359.exe
144⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\tmp240629812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240629812.exe
132⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\tmp240629390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240629390.exe
131⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\tmp240649109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649109.exe
128⤵
PID:756

C:\Users\Admin\AppData\Local\Temp\tmp240627546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240627546.exe
125⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\tmp240627609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240627609.exe
126⤵
PID:3172

C:\Users\Admin\AppData\Local\Temp\tmp240627671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240627671.exe
126⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\tmp240627718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240627718.exe
127⤵
PID:2976

C:\Users\Admin\AppData\Local\Temp\tmp240627734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240627734.exe
127⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\tmp240627796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240627796.exe
128⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\tmp240627812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240627812.exe
128⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\tmp240626437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240626437.exe
121⤵
PID:4584

C:\Users\Admin\AppData\Local\Temp\tmp240624968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240624968.exe
114⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\tmp240625015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240625015.exe
115⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\tmp240625046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240625046.exe
115⤵
PID:4308

C:\Users\Admin\AppData\Local\Temp\tmp240625125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240625125.exe
116⤵
PID:3780

C:\Users\Admin\AppData\Local\Temp\tmp240625171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240625171.exe
116⤵
PID:528

C:\Users\Admin\AppData\Local\Temp\tmp240625234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240625234.exe
117⤵
PID:392

C:\Users\Admin\AppData\Local\Temp\tmp240625250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240625250.exe
117⤵
PID:3640

C:\Users\Admin\AppData\Local\Temp\tmp240625296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240625296.exe
118⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\tmp240625312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240625312.exe
118⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\tmp240624578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240624578.exe
112⤵
PID:2320

C:\Users\Admin\AppData\Local\Temp\tmp240624609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240624609.exe
113⤵
PID:316

C:\Users\Admin\AppData\Local\Temp\tmp240624640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240624640.exe
113⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\tmp240624718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240624718.exe
114⤵
PID:4520

C:\Users\Admin\AppData\Local\Temp\tmp240624734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240624734.exe
114⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\tmp240624812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240624812.exe
115⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\tmp240632312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632312.exe
116⤵
PID:1892

C:\Users\Admin\AppData\Local\Temp\tmp240624828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240624828.exe
115⤵
PID:2916

C:\Users\Admin\AppData\Local\Temp\tmp240624093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240624093.exe
110⤵
PID:2968

C:\Users\Admin\AppData\Local\Temp\tmp240624125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240624125.exe
111⤵
PID:4104

C:\Users\Admin\AppData\Local\Temp\tmp240624140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240624140.exe
111⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\tmp240624203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240624203.exe
112⤵
PID:2564

C:\Users\Admin\AppData\Local\Temp\tmp240624234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240624234.exe
112⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\tmp240624296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240624296.exe
113⤵
PID:3276

C:\Users\Admin\AppData\Local\Temp\tmp240624328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240624328.exe
113⤵
PID:1696

C:\Users\Admin\AppData\Local\Temp\tmp240623703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623703.exe
108⤵
PID:2944

C:\Users\Admin\AppData\Local\Temp\tmp240622531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622531.exe
103⤵
PID:3132

C:\Users\Admin\AppData\Local\Temp\tmp240622625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622625.exe
104⤵
PID:4660

C:\Users\Admin\AppData\Local\Temp\tmp240622687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622687.exe
104⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\tmp240622906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622906.exe
105⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\tmp240622984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622984.exe
106⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\tmp240623265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623265.exe
106⤵
PID:4160

C:\Users\Admin\AppData\Local\Temp\tmp240622843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622843.exe
105⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\tmp240621937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240621937.exe
101⤵
PID:3980

C:\Users\Admin\AppData\Local\Temp\tmp240621968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240621968.exe
102⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\tmp240622281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622281.exe
102⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\tmp240622765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622765.exe
103⤵
PID:4584

C:\Users\Admin\AppData\Local\Temp\tmp240622812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622812.exe
103⤵
PID:3616

C:\Users\Admin\AppData\Local\Temp\tmp240623187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623187.exe
104⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\tmp240623171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240623171.exe
104⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\tmp240621671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240621671.exe
99⤵
PID:392

C:\Users\Admin\AppData\Local\Temp\tmp240618531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618531.exe
89⤵
PID:3164

C:\Users\Admin\AppData\Local\Temp\tmp240618625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618625.exe
90⤵
PID:1972

C:\Users\Admin\AppData\Local\Temp\tmp240618781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618781.exe
90⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\tmp240618906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618906.exe
91⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\tmp240619000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240619000.exe
91⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\tmp240619109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240619109.exe
92⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\tmp240619187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240619187.exe
92⤵
PID:1412

C:\Users\Admin\AppData\Local\Temp\tmp240643140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240643140.exe
91⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\tmp240618093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618093.exe
87⤵
PID:2184

C:\Users\Admin\AppData\Local\Temp\tmp240616468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616468.exe
82⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\tmp240616593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616593.exe
83⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\tmp240617031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617031.exe
83⤵
PID:3248

C:\Users\Admin\AppData\Local\Temp\tmp240617437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617437.exe
84⤵
PID:1288

C:\Users\Admin\AppData\Local\Temp\tmp240617359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617359.exe
84⤵
PID:4488

C:\Users\Admin\AppData\Local\Temp\tmp240615093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615093.exe
79⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\tmp240615296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615296.exe
80⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\tmp240615484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615484.exe
80⤵
PID:3372

C:\Users\Admin\AppData\Local\Temp\tmp240615640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615640.exe
81⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:5092

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
82⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\tmp240616421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616421.exe
83⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\tmp240616546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616546.exe
83⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\tmp240617093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617093.exe
84⤵
- Checks computer location settings
PID:2460

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
85⤵
PID:2500

C:\Users\Admin\AppData\Local\Temp\tmp240617937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617937.exe
86⤵
PID:2420

C:\Users\Admin\AppData\Local\Temp\tmp240618140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618140.exe
86⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\tmp240618250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618250.exe
87⤵
PID:4588

C:\Users\Admin\AppData\Local\Temp\tmp240618359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618359.exe
87⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\tmp240618515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618515.exe
88⤵
PID:2408

C:\Users\Admin\AppData\Local\Temp\tmp240618546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618546.exe
88⤵
PID:3404

C:\Users\Admin\AppData\Local\Temp\tmp240618656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618656.exe
89⤵
PID:2056

C:\Users\Admin\AppData\Local\Temp\tmp240618734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618734.exe
89⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\tmp240617265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617265.exe
84⤵
PID:1788

C:\Users\Admin\AppData\Local\Temp\tmp240617453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617453.exe
85⤵
PID:3124

C:\Users\Admin\AppData\Local\Temp\tmp240617656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617656.exe
85⤵
PID:3256

C:\Users\Admin\AppData\Local\Temp\tmp240617781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617781.exe
86⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\tmp240617828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617828.exe
86⤵
PID:3180

C:\Users\Admin\AppData\Local\Temp\tmp240615968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615968.exe
81⤵
PID:4956

C:\Users\Admin\AppData\Local\Temp\tmp240613250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240613250.exe
76⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\tmp240613546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240613546.exe
77⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\tmp240613640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240613640.exe
77⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\tmp240614093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614093.exe
78⤵
- Drops file in System32 directory
PID:840

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
79⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\tmp240615015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615015.exe
80⤵
PID:1156

C:\Users\Admin\AppData\Local\Temp\tmp240615203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615203.exe
80⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\tmp240615375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615375.exe
81⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\tmp240615562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615562.exe
81⤵
PID:4092

C:\Users\Admin\AppData\Local\Temp\tmp240616046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616046.exe
82⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\tmp240616343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616343.exe
82⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\tmp240616484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616484.exe
83⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\tmp240616578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616578.exe
83⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\tmp240614468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614468.exe
78⤵
PID:3744

C:\Users\Admin\AppData\Local\Temp\tmp240614953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614953.exe
79⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\tmp240615046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615046.exe
79⤵
PID:3348

C:\Users\Admin\AppData\Local\Temp\tmp240612500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240612500.exe
74⤵
PID:4472

C:\Users\Admin\AppData\Local\Temp\tmp240612593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240612593.exe
75⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\tmp240612671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240612671.exe
75⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\tmp240629468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240629468.exe
76⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\tmp240611031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240611031.exe
70⤵
PID:3628

C:\Users\Admin\AppData\Local\Temp\tmp240611093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240611093.exe
71⤵
PID:3876

C:\Users\Admin\AppData\Local\Temp\tmp240611171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240611171.exe
71⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\tmp240611296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240611296.exe
72⤵
PID:4712

C:\Users\Admin\AppData\Local\Temp\tmp240611359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240611359.exe
72⤵
PID:3732

C:\Users\Admin\AppData\Local\Temp\tmp240610625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610625.exe
68⤵
PID:4320

C:\Users\Admin\AppData\Local\Temp\tmp240610718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610718.exe
69⤵
PID:4072

C:\Users\Admin\AppData\Local\Temp\tmp240610781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610781.exe
69⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\tmp240610828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610828.exe
70⤵
PID:3840

C:\Users\Admin\AppData\Local\Temp\tmp240610937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610937.exe
70⤵
PID:3672

C:\Users\Admin\AppData\Local\Temp\tmp240610140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610140.exe
66⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\tmp240608921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240608921.exe
62⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\tmp240609265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240609265.exe
63⤵
PID:1172

C:\Users\Admin\AppData\Local\Temp\tmp240609734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240609734.exe
63⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\tmp240608093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240608093.exe
59⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\tmp240608156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240608156.exe
60⤵
PID:2316

C:\Users\Admin\AppData\Local\Temp\tmp240608250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240608250.exe
60⤵
PID:1768

C:\Users\Admin\AppData\Local\Temp\tmp240607703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607703.exe
57⤵
PID:1420

C:\Users\Admin\AppData\Local\Temp\tmp240607843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607843.exe
58⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\tmp240607937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607937.exe
58⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\tmp240607281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607281.exe
55⤵
PID:1984

C:\Users\Admin\AppData\Local\Temp\tmp240606953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606953.exe
53⤵
PID:2212

C:\Users\Admin\AppData\Local\Temp\tmp240617468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617468.exe
53⤵
PID:3608

C:\Users\Admin\AppData\Local\Temp\tmp240606625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606625.exe
51⤵
PID:744

C:\Users\Admin\AppData\Local\Temp\tmp240606281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606281.exe
49⤵
PID:2940

C:\Users\Admin\AppData\Local\Temp\tmp240605984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240605984.exe
47⤵
PID:2852

C:\Users\Admin\AppData\Local\Temp\tmp240605578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240605578.exe
45⤵
PID:2044

C:\Users\Admin\AppData\Local\Temp\tmp240605109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240605109.exe
43⤵
- Executes dropped EXE
PID:1684

C:\Users\Admin\AppData\Local\Temp\tmp240604640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240604640.exe
41⤵
- Executes dropped EXE
PID:3672

C:\Users\Admin\AppData\Local\Temp\tmp240604390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240604390.exe
39⤵
- Executes dropped EXE
PID:112

C:\Users\Admin\AppData\Local\Temp\tmp240604046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240604046.exe
37⤵
- Executes dropped EXE
PID:2916

C:\Users\Admin\AppData\Local\Temp\tmp240603640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240603640.exe
35⤵
- Executes dropped EXE
PID:4308

C:\Users\Admin\AppData\Local\Temp\tmp240602875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240602875.exe
33⤵
- Executes dropped EXE
PID:3144

C:\Users\Admin\AppData\Local\Temp\tmp240602500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240602500.exe
31⤵
- Executes dropped EXE
PID:3972

C:\Users\Admin\AppData\Local\Temp\tmp240601890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240601890.exe
29⤵
- Executes dropped EXE
PID:3100

C:\Users\Admin\AppData\Local\Temp\tmp240601406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240601406.exe
27⤵
- Executes dropped EXE
PID:3088

C:\Users\Admin\AppData\Local\Temp\tmp240601109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240601109.exe
25⤵
- Executes dropped EXE
PID:3800

C:\Users\Admin\AppData\Local\Temp\tmp240600734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600734.exe
23⤵
- Executes dropped EXE
PID:1108

C:\Users\Admin\AppData\Local\Temp\tmp240600312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600312.exe
21⤵
- Executes dropped EXE
PID:2316

C:\Users\Admin\AppData\Local\Temp\tmp240599453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599453.exe
19⤵
- Executes dropped EXE
PID:3076

C:\Users\Admin\AppData\Local\Temp\tmp240598984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598984.exe
17⤵
- Executes dropped EXE
PID:1640

C:\Users\Admin\AppData\Local\Temp\tmp240598515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598515.exe
15⤵
- Executes dropped EXE
PID:2444

C:\Users\Admin\AppData\Local\Temp\tmp240597906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597906.exe
13⤵
- Executes dropped EXE
PID:2372

C:\Users\Admin\AppData\Local\Temp\tmp240597437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597437.exe
11⤵
- Executes dropped EXE
PID:1256

C:\Users\Admin\AppData\Local\Temp\tmp240596906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240596906.exe
9⤵
- Executes dropped EXE
PID:3028

C:\Users\Admin\AppData\Local\Temp\tmp240596531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240596531.exe
7⤵
- Executes dropped EXE
PID:3628

C:\Users\Admin\AppData\Local\Temp\tmp240596062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240596062.exe
5⤵
- Executes dropped EXE
PID:2264

C:\Users\Admin\AppData\Local\Temp\tmp240595500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240595500.exe
3⤵
- Executes dropped EXE
PID:1892

C:\Users\Admin\AppData\Local\Temp\tmp240630171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630171.exe
1⤵
PID:5068

C:\Users\Admin\AppData\Local\Temp\tmp240649125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649125.exe
1⤵
PID:1048

C:\Users\Admin\AppData\Local\Temp\tmp240652546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652546.exe
1⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\tmp240652593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652593.exe
1⤵
PID:3312

C:\Users\Admin\AppData\Local\Temp\tmp240652765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652765.exe
2⤵
PID:756

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240595234.exe
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240595234.exe
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240595500.exe
Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240595984.exe
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240595984.exe
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240596062.exe
Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240596468.exe
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240596468.exe
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240596531.exe
Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240596828.exe
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240596828.exe
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240596906.exe
Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240597359.exe
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240597359.exe
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240597437.exe
Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240597828.exe
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240597828.exe
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240597906.exe
Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240598187.exe
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240598187.exe
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240598515.exe
Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240598875.exe
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240598875.exe
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240598984.exe
Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240599421.exe
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240599421.exe
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240599453.exe
Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240599953.exe
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240599953.exe
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240600312.exe
Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240600671.exe
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240600671.exe
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Windows\SysWOW64\fsb.stb
Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb
Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb
Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb
Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb
Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb
Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb
Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb
Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb
Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb
Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.tmp
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Windows\SysWOW64\fsb.tmp
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Windows\SysWOW64\fsb.tmp
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Windows\SysWOW64\fsb.tmp
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Windows\SysWOW64\fsb.tmp
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Windows\SysWOW64\fsb.tmp
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Windows\SysWOW64\fsb.tmp
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Windows\SysWOW64\fsb.tmp
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Windows\SysWOW64\fsb.tmp
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Windows\SysWOW64\fsb.tmp
Filesize
677KB

MD5
53a0d67cfbb64e20eff3ddd31f35ff50

SHA1
d7de4394a18b0a44137579b4edd9f560e5db04d0

SHA256
e191ca0df4ba047fb13cb2f305e045755b6070d9f3570ea27ee33d46be858718

SHA512
6d4fd8c3fe6435701e2272ab1537ce2c4beb3561c32b393bf1169feca0a6e61b44580f50b8456ad4df5856700dd236dc3b1b33e288e2c7bacae88db8b8dbfcfb

Download Submit
C:\Windows\SysWOW64\notpad.exe
Filesize
850KB

MD5
35156db50a8ac586e802d058caf08ebd

SHA1
3df7b2ba1eb42d5c3928b823cf7f3cb6c01afa32

SHA256
4c3ddbe4b84c0511a7792239759e37d26901f6829f76392d034c750658146fb5

SHA512
4ccf67d8c614965121297d53cd350a310b237f2a53759caad155bea33622dc85921a5e9ccc44905a910f9804ecd3d848c622a7b740a09d3868eb43b077270f57

Download Submit
C:\Windows\SysWOW64\notpad.exe
Filesize
850KB

MD5
35156db50a8ac586e802d058caf08ebd

SHA1
3df7b2ba1eb42d5c3928b823cf7f3cb6c01afa32

SHA256
4c3ddbe4b84c0511a7792239759e37d26901f6829f76392d034c750658146fb5

SHA512
4ccf67d8c614965121297d53cd350a310b237f2a53759caad155bea33622dc85921a5e9ccc44905a910f9804ecd3d848c622a7b740a09d3868eb43b077270f57

Download Submit
C:\Windows\SysWOW64\notpad.exe
Filesize
850KB

MD5
35156db50a8ac586e802d058caf08ebd

SHA1
3df7b2ba1eb42d5c3928b823cf7f3cb6c01afa32

SHA256
4c3ddbe4b84c0511a7792239759e37d26901f6829f76392d034c750658146fb5

SHA512
4ccf67d8c614965121297d53cd350a310b237f2a53759caad155bea33622dc85921a5e9ccc44905a910f9804ecd3d848c622a7b740a09d3868eb43b077270f57

Download Submit
C:\Windows\SysWOW64\notpad.exe
Filesize
850KB

MD5
35156db50a8ac586e802d058caf08ebd

SHA1
3df7b2ba1eb42d5c3928b823cf7f3cb6c01afa32

SHA256
4c3ddbe4b84c0511a7792239759e37d26901f6829f76392d034c750658146fb5

SHA512
4ccf67d8c614965121297d53cd350a310b237f2a53759caad155bea33622dc85921a5e9ccc44905a910f9804ecd3d848c622a7b740a09d3868eb43b077270f57

Download Submit
C:\Windows\SysWOW64\notpad.exe
Filesize
850KB

MD5
35156db50a8ac586e802d058caf08ebd

SHA1
3df7b2ba1eb42d5c3928b823cf7f3cb6c01afa32

SHA256
4c3ddbe4b84c0511a7792239759e37d26901f6829f76392d034c750658146fb5

SHA512
4ccf67d8c614965121297d53cd350a310b237f2a53759caad155bea33622dc85921a5e9ccc44905a910f9804ecd3d848c622a7b740a09d3868eb43b077270f57

Download Submit
C:\Windows\SysWOW64\notpad.exe
Filesize
850KB

MD5
35156db50a8ac586e802d058caf08ebd

SHA1
3df7b2ba1eb42d5c3928b823cf7f3cb6c01afa32

SHA256
4c3ddbe4b84c0511a7792239759e37d26901f6829f76392d034c750658146fb5

SHA512
4ccf67d8c614965121297d53cd350a310b237f2a53759caad155bea33622dc85921a5e9ccc44905a910f9804ecd3d848c622a7b740a09d3868eb43b077270f57

Download Submit
C:\Windows\SysWOW64\notpad.exe
Filesize
850KB

MD5
35156db50a8ac586e802d058caf08ebd

SHA1
3df7b2ba1eb42d5c3928b823cf7f3cb6c01afa32

SHA256
4c3ddbe4b84c0511a7792239759e37d26901f6829f76392d034c750658146fb5

SHA512
4ccf67d8c614965121297d53cd350a310b237f2a53759caad155bea33622dc85921a5e9ccc44905a910f9804ecd3d848c622a7b740a09d3868eb43b077270f57

Download Submit
C:\Windows\SysWOW64\notpad.exe
Filesize
850KB

MD5
35156db50a8ac586e802d058caf08ebd

SHA1
3df7b2ba1eb42d5c3928b823cf7f3cb6c01afa32

SHA256
4c3ddbe4b84c0511a7792239759e37d26901f6829f76392d034c750658146fb5

SHA512
4ccf67d8c614965121297d53cd350a310b237f2a53759caad155bea33622dc85921a5e9ccc44905a910f9804ecd3d848c622a7b740a09d3868eb43b077270f57

Download Submit
C:\Windows\SysWOW64\notpad.exe
Filesize
850KB

MD5
35156db50a8ac586e802d058caf08ebd

SHA1
3df7b2ba1eb42d5c3928b823cf7f3cb6c01afa32

SHA256
4c3ddbe4b84c0511a7792239759e37d26901f6829f76392d034c750658146fb5

SHA512
4ccf67d8c614965121297d53cd350a310b237f2a53759caad155bea33622dc85921a5e9ccc44905a910f9804ecd3d848c622a7b740a09d3868eb43b077270f57

Download Submit
C:\Windows\SysWOW64\notpad.exe
Filesize
850KB

MD5
35156db50a8ac586e802d058caf08ebd

SHA1
3df7b2ba1eb42d5c3928b823cf7f3cb6c01afa32

SHA256
4c3ddbe4b84c0511a7792239759e37d26901f6829f76392d034c750658146fb5

SHA512
4ccf67d8c614965121297d53cd350a310b237f2a53759caad155bea33622dc85921a5e9ccc44905a910f9804ecd3d848c622a7b740a09d3868eb43b077270f57

Download Submit
C:\Windows\SysWOW64\notpad.exe
Filesize
850KB

MD5
35156db50a8ac586e802d058caf08ebd

SHA1
3df7b2ba1eb42d5c3928b823cf7f3cb6c01afa32

SHA256
4c3ddbe4b84c0511a7792239759e37d26901f6829f76392d034c750658146fb5

SHA512
4ccf67d8c614965121297d53cd350a310b237f2a53759caad155bea33622dc85921a5e9ccc44905a910f9804ecd3d848c622a7b740a09d3868eb43b077270f57

Download Submit
C:\Windows\SysWOW64\notpad.exe
Filesize
850KB

MD5
35156db50a8ac586e802d058caf08ebd

SHA1
3df7b2ba1eb42d5c3928b823cf7f3cb6c01afa32

SHA256
4c3ddbe4b84c0511a7792239759e37d26901f6829f76392d034c750658146fb5

SHA512
4ccf67d8c614965121297d53cd350a310b237f2a53759caad155bea33622dc85921a5e9ccc44905a910f9804ecd3d848c622a7b740a09d3868eb43b077270f57

Download Submit
memory/112-275-0x0000000000000000-mapping.dmp

Download
memory/224-274-0x0000000000000000-mapping.dmp

Download
memory/224-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/540-185-0x0000000000000000-mapping.dmp

Download
memory/540-194-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/756-257-0x0000000000000000-mapping.dmp

Download
memory/756-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/756-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/840-235-0x0000000000000000-mapping.dmp

Download
memory/840-240-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/840-242-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1048-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1108-241-0x0000000000000000-mapping.dmp

Download
memory/1156-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1156-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1172-248-0x0000000000000000-mapping.dmp

Download
memory/1256-180-0x0000000000000000-mapping.dmp

Download
memory/1256-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1256-288-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1392-225-0x0000000000000000-mapping.dmp

Download
memory/1392-234-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1420-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1568-167-0x0000000000000000-mapping.dmp

Download
memory/1640-212-0x0000000000000000-mapping.dmp

Download
memory/1684-284-0x0000000000000000-mapping.dmp

Download
memory/1696-146-0x0000000000000000-mapping.dmp

Download
memory/1728-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1728-264-0x0000000000000000-mapping.dmp

Download
memory/1784-197-0x0000000000000000-mapping.dmp

Download
memory/1820-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1824-270-0x0000000000000000-mapping.dmp

Download
memory/1876-207-0x0000000000000000-mapping.dmp

Download
memory/1884-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1892-141-0x0000000000000000-mapping.dmp

Download
memory/1912-174-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1912-165-0x0000000000000000-mapping.dmp

Download
memory/1936-205-0x0000000000000000-mapping.dmp

Download
memory/1936-214-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1952-286-0x0000000000000000-mapping.dmp

Download
memory/1952-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2112-177-0x0000000000000000-mapping.dmp

Download
memory/2152-204-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2152-195-0x0000000000000000-mapping.dmp

Download
memory/2188-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2264-151-0x0000000000000000-mapping.dmp

Download
memory/2316-232-0x0000000000000000-mapping.dmp

Download
memory/2320-265-0x0000000000000000-mapping.dmp

Download
memory/2332-217-0x0000000000000000-mapping.dmp

Download
memory/2344-244-0x0000000000000000-mapping.dmp

Download
memory/2368-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2372-192-0x0000000000000000-mapping.dmp

Download
memory/2380-246-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2380-243-0x0000000000000000-mapping.dmp

Download
memory/2416-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2416-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2444-200-0x0000000000000000-mapping.dmp

Download
memory/2572-278-0x0000000000000000-mapping.dmp

Download
memory/2656-247-0x0000000000000000-mapping.dmp

Download
memory/2656-250-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2720-227-0x0000000000000000-mapping.dmp

Download
memory/2832-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2848-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2848-303-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2916-271-0x0000000000000000-mapping.dmp

Download
memory/2960-187-0x0000000000000000-mapping.dmp

Download
memory/2992-153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2992-144-0x0000000000000000-mapping.dmp

Download
memory/3028-172-0x0000000000000000-mapping.dmp

Download
memory/3076-220-0x0000000000000000-mapping.dmp

Download
memory/3088-249-0x0000000000000000-mapping.dmp

Download
memory/3100-254-0x0000000000000000-mapping.dmp

Download
memory/3144-262-0x0000000000000000-mapping.dmp

Download
memory/3304-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3372-132-0x0000000000000000-mapping.dmp

Download
memory/3372-140-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3372-143-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3404-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3452-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3628-162-0x0000000000000000-mapping.dmp

Download
memory/3632-184-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3632-175-0x0000000000000000-mapping.dmp

Download
memory/3640-283-0x0000000000000000-mapping.dmp

Download
memory/3672-279-0x0000000000000000-mapping.dmp

Download
memory/3696-277-0x0000000000000000-mapping.dmp

Download
memory/3696-280-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3788-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3800-245-0x0000000000000000-mapping.dmp

Download
memory/3816-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3816-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3972-258-0x0000000000000000-mapping.dmp

Download
memory/4024-261-0x0000000000000000-mapping.dmp

Download
memory/4104-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4208-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4208-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4212-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4240-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4284-237-0x0000000000000000-mapping.dmp

Download
memory/4308-266-0x0000000000000000-mapping.dmp

Download
memory/4320-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4324-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4324-273-0x0000000000000000-mapping.dmp

Download
memory/4340-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4428-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4428-260-0x0000000000000000-mapping.dmp

Download
memory/4448-252-0x0000000000000000-mapping.dmp

Download
memory/4516-255-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4516-253-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4516-251-0x0000000000000000-mapping.dmp

Download
memory/4548-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4588-215-0x0000000000000000-mapping.dmp

Download
memory/4588-224-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4656-156-0x0000000000000000-mapping.dmp

Download
memory/4704-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4732-285-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4732-282-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4732-281-0x0000000000000000-mapping.dmp

Download
memory/4760-256-0x0000000000000000-mapping.dmp

Download
memory/4760-259-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4772-269-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4772-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4772-268-0x0000000000000000-mapping.dmp

Download
memory/4868-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5044-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5048-161-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5048-154-0x0000000000000000-mapping.dmp

Download
memory/5048-164-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5080-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5084-135-0x0000000000000000-mapping.dmp

Download