3f65dcd791f2a29eb9b71e5b0e284bff3e97d221764b64d55d72582239acde8c

Analysis

max time kernel
151s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-11-2022 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f65dcd791f2a29eb9b71e5b0e284bff3e97d221764b64d55d72582239acde8c.exe
Size

523KB
MD5

44a057e92c790091dbbe2396fed978c0
SHA1

9a125184fd7ab741a8a45a2381cdf010c8fa1d8f
SHA256

3f65dcd791f2a29eb9b71e5b0e284bff3e97d221764b64d55d72582239acde8c
SHA512

41395310a55c5ada19d4dbbacb46922d8cbf3e265b579a8de6bb9ef35b1ced1ba121d1a02008078d23be60a0d20d01bbd52ce5359791f1a722443ccd8b98dec3
SSDEEP

12288:HP5R9PfPhR9PBPhR9P5x5GpX/8SDyo1tj:xRbR9Rd5GJ/NDyo1tj

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

tmp240562078.exetmp240562203.exenotpad.exetmp240563781.exetmp240563843.exenotpad.exetmp240564468.exetmp240564515.exenotpad.exetmp240564812.exetmp240564859.exenotpad.exetmp240565109.exetmp240565171.exenotpad.exetmp240565406.exetmp240565484.exenotpad.exetmp240565671.exetmp240565703.exenotpad.exetmp240566171.exetmp240566265.exenotpad.exetmp240566656.exetmp240566687.exenotpad.exetmp240567062.exetmp240567140.exenotpad.exetmp240567437.exetmp240567640.exenotpad.exetmp240567921.exetmp240567953.exenotpad.exetmp240568140.exetmp240568171.exenotpad.exetmp240568375.exetmp240568437.exenotpad.exetmp240568703.exetmp240568781.exenotpad.exetmp240569000.exetmp240569031.exenotpad.exetmp240569250.exetmp240569296.exenotpad.exetmp240569531.exetmp240569578.exenotpad.exetmp240569765.exenotpad.exetmp240569812.exetmp240570015.exenotpad.exetmp240589140.exetmp240588921.exetmp240589937.exenotpad.exetmp240590078.exe

pid	process
1376	tmp240562078.exe
1132	tmp240562203.exe
4928	notpad.exe
2536	tmp240563781.exe
4040	tmp240563843.exe
1044	notpad.exe
5036	tmp240564468.exe
2892	tmp240564515.exe
4116	notpad.exe
4540	tmp240564812.exe
4404	tmp240564859.exe
4244	notpad.exe
2492	tmp240565109.exe
2292	tmp240565171.exe
3128	notpad.exe
4624	tmp240565406.exe
1484	tmp240565484.exe
1988	notpad.exe
3860	tmp240565671.exe
1888	tmp240565703.exe
3528	notpad.exe
5056	tmp240566171.exe
2168	tmp240566265.exe
432	notpad.exe
1592	tmp240566656.exe
4692	tmp240566687.exe
3024	notpad.exe
3080	tmp240567062.exe
4912	tmp240567140.exe
4296	notpad.exe
4564	tmp240567437.exe
4876	tmp240567640.exe
764	notpad.exe
5092	tmp240567921.exe
3148	tmp240567953.exe
3496	notpad.exe
2040	tmp240568140.exe
4280	tmp240568171.exe
5008	notpad.exe
4868	tmp240568375.exe
4324	tmp240568437.exe
508	notpad.exe
4932	tmp240568703.exe
2312	tmp240568781.exe
4000	notpad.exe
3464	tmp240569000.exe
3396	tmp240569031.exe
4148	notpad.exe
1308	tmp240569250.exe
4304	tmp240569296.exe
3292	notpad.exe
4844	tmp240569531.exe
2036	tmp240569578.exe
2564	notpad.exe
4848	tmp240569765.exe
4028	notpad.exe
3900	tmp240569812.exe
4264	tmp240570015.exe
3352	notpad.exe
260	tmp240589140.exe
2324	tmp240588921.exe
4284	tmp240589937.exe
2892	notpad.exe
1420	tmp240590078.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2252-132-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2252-139-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\notpad.exe	upx
behavioral2/memory/4928-143-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\fsb.stb	upx
behavioral2/memory/4928-151-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\fsb.stb	upx
behavioral2/memory/1044-161-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\notpad.exe	upx
behavioral2/memory/4116-164-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4116-172-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\fsb.stb	upx
C:\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\fsb.stb	upx
behavioral2/memory/4244-182-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\fsb.stb	upx
behavioral2/memory/3128-192-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\fsb.stb	upx
behavioral2/memory/1988-201-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1988-203-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\fsb.stb	upx
behavioral2/memory/3528-213-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\fsb.stb	upx
behavioral2/memory/432-223-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\notpad.exe	upx
behavioral2/memory/3024-233-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\fsb.stb	upx
C:\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\fsb.stb	upx
behavioral2/memory/4296-242-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/764-246-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3496-250-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5008-254-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/508-258-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4000-262-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4148-266-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3292-270-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2564-273-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4028-275-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2564-278-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3352-280-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3352-285-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4028-284-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2892-288-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4208-289-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4208-290-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3504-291-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3504-292-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/912-293-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4960-294-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/364-295-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/364-296-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4804-297-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1336-298-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4336-299-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4336-300-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4336-301-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2224-302-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp240618500.exetmp240667062.exetmp240686218.exetmp240614953.exetmp240658593.exetmp240662687.exetmp240663765.exetmp240684078.exetmp240685203.exetmp240616046.exetmp240564812.exetmp240608328.exetmp240647390.exetmp240659609.exetmp240667781.exetmp240564468.exetmp240656125.exetmp240608906.exetmp240641156.exetmp240685078.exetmp240707359.exetmp240607750.exetmp240614765.exetmp240652312.exetmp240655078.exetmp240669953.exetmp240613015.exetmp240611843.exetmp240613750.exetmp240659812.exetmp240660625.exetmp240665484.exetmp240607031.exetmp240668062.exetmp240668890.exetmp240708281.exetmp240664609.exetmp240654093.exetmp240660812.exetmp240565671.exetmp240605000.exetmp240617984.exetmp240662140.exetmp240684343.exetmp240707671.exetmp240589140.exetmp240666484.exetmp240565406.exetmp240610031.exetmp240665890.exetmp240606734.exetmp240654250.exetmp240658906.exetmp240666671.exetmp240567062.exetmp240618109.exetmp240655812.exetmp240656468.exetmp240657968.exetmp240664390.exetmp240616250.exetmp240609265.exetmp240611234.exetmp240613218.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240618500.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240667062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240686218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240614953.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240658593.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240662687.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240663765.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240684078.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240685203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240616046.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240564812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240608328.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240647390.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240659609.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240667781.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240564468.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240656125.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240608906.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240641156.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240685078.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240707359.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240607750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240614765.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240652312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240655078.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240669953.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240613015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240611843.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240613750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240659812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240660625.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240665484.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240607031.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240668062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240668890.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240708281.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240664609.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240654093.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240660812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240565671.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240605000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240617984.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240662140.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240684343.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240707671.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240589140.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240666484.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240565406.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240610031.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240665890.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240606734.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240654250.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240658906.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240666671.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240567062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240618109.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240655812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240656468.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240657968.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240664390.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240616250.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240609265.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240611234.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240613218.exe

Drops file in System32 directory 64 IoCs

Processes:

tmp240607390.exetmp240615875.exetmp240652312.exetmp240660421.exetmp240664390.exetmp240566656.exetmp240568375.exetmp240658593.exetmp240659609.exetmp240669546.exetmp240590078.exetmp240608687.exetmp240617312.exetmp240658343.exetmp240565406.exetmp240613750.exetmp240655265.exetmp240669953.exetmp240614531.exetmp240613015.exetmp240615312.exetmp240593984.exetmp240608328.exetmp240664609.exetmp240662968.exetmp240663765.exetmp240665484.exetmp240669890.exetmp240684609.exetmp240606734.exetmp240659812.exetmp240609640.exetmp240661406.exetmp240565671.exetmp240605718.exetmp240660234.exetmp240685703.exetmp240569531.exetmp240658906.exetmp240590281.exetmp240647390.exetmp240665125.exetmp240667062.exetmp240668687.exetmp240616046.exetmp240668421.exetmp240659390.exetmp240667781.exetmp240684078.exetmp240593765.exetmp240607031.exe

description	ioc	process
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240607390.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240615875.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240652312.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240660421.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240664390.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240566656.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240568375.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240658593.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240659609.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240669546.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240590078.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240608687.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240617312.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240658343.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240565406.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240613750.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240655265.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240658343.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240669953.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240614531.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240614531.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240613015.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240615312.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240593984.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240608328.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240659609.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240664609.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240662968.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240663765.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240665484.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240669890.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240684609.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240606734.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240659812.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240609640.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240661406.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240565671.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240605718.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240565671.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240660234.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240662968.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240685703.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240569531.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240658906.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240590281.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240647390.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240665125.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240665484.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240667062.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240668687.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240605718.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240616046.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240668421.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240608328.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240664390.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240659390.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240669890.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240659609.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240659609.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240667781.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240667781.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240684078.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240593765.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240607031.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

tmp240668421.exetmp240606531.exetmp240606734.exetmp240610031.exetmp240611234.exetmp240615875.exetmp240665484.exetmp240570015.exetmp240617312.exetmp240656718.exetmp240708281.exetmp240589140.exetmp240605718.exetmp240607750.exetmp240608906.exetmp240614140.exetmp240659812.exetmp240590531.exetmp240592281.exetmp240608109.exetmp240657968.exetmp240664390.exetmp240665125.exetmp240590281.exetmp240616453.exetmp240660625.exetmp240661406.exetmp240666671.exetmp240613015.exetmp240652953.exetmp240659390.exetmp240663765.exetmp240707359.exetmp240565671.exetmp240667531.exetmp240683515.exetmp240684343.exetmp240665890.exetmp240686468.exetmp240605000.exetmp240608328.exetmp240612109.exetmp240616250.exetmp240663546.exetmp240667484.exetmp240593984.exetmp240616046.exetmp240617984.exetmp240668062.exetmp240669546.exetmp240564812.exetmp240569531.exetmp240590078.exetmp240659609.exetmp240668890.exetmp240684078.exetmp240567437.exetmp240568703.exetmp240569765.exetmp240611531.exetmp240667781.exetmp240685500.exetmp240616671.exetmp240618109.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240668421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240606531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240606734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240610031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240611234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240615875.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240665484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240570015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240617312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240656718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240708281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240589140.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240605718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240607750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240608906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240614140.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240659812.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240590531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240592281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240608109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240657968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240664390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240665125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240590281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240616453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240660625.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240661406.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240666671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240613015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240652953.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240659390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240663765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240707359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240565671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240667531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240683515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240684343.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240665890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240686468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240605000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240608328.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240612109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240616250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240663546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240667484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240593984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240616046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240617984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240668062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240669546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240564812.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240569531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240590078.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240659609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240668890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240684078.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240567437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240568703.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240569765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240611531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240667781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240685500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240616671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240618109.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

3f65dcd791f2a29eb9b71e5b0e284bff3e97d221764b64d55d72582239acde8c.exetmp240562078.exenotpad.exetmp240563781.exenotpad.exetmp240564468.exenotpad.exetmp240564812.exenotpad.exetmp240565109.exenotpad.exetmp240565406.exenotpad.exetmp240565671.exenotpad.exe

description	pid	process	target process
PID 2252 wrote to memory of 1376	2252	3f65dcd791f2a29eb9b71e5b0e284bff3e97d221764b64d55d72582239acde8c.exe	tmp240562078.exe
PID 2252 wrote to memory of 1376	2252	3f65dcd791f2a29eb9b71e5b0e284bff3e97d221764b64d55d72582239acde8c.exe	tmp240562078.exe
PID 2252 wrote to memory of 1376	2252	3f65dcd791f2a29eb9b71e5b0e284bff3e97d221764b64d55d72582239acde8c.exe	tmp240562078.exe
PID 2252 wrote to memory of 1132	2252	3f65dcd791f2a29eb9b71e5b0e284bff3e97d221764b64d55d72582239acde8c.exe	tmp240562203.exe
PID 2252 wrote to memory of 1132	2252	3f65dcd791f2a29eb9b71e5b0e284bff3e97d221764b64d55d72582239acde8c.exe	tmp240562203.exe
PID 2252 wrote to memory of 1132	2252	3f65dcd791f2a29eb9b71e5b0e284bff3e97d221764b64d55d72582239acde8c.exe	tmp240562203.exe
PID 1376 wrote to memory of 4928	1376	tmp240562078.exe	notpad.exe
PID 1376 wrote to memory of 4928	1376	tmp240562078.exe	notpad.exe
PID 1376 wrote to memory of 4928	1376	tmp240562078.exe	notpad.exe
PID 4928 wrote to memory of 2536	4928	notpad.exe	tmp240563781.exe
PID 4928 wrote to memory of 2536	4928	notpad.exe	tmp240563781.exe
PID 4928 wrote to memory of 2536	4928	notpad.exe	tmp240563781.exe
PID 4928 wrote to memory of 4040	4928	notpad.exe	tmp240563843.exe
PID 4928 wrote to memory of 4040	4928	notpad.exe	tmp240563843.exe
PID 4928 wrote to memory of 4040	4928	notpad.exe	tmp240563843.exe
PID 2536 wrote to memory of 1044	2536	tmp240563781.exe	notpad.exe
PID 2536 wrote to memory of 1044	2536	tmp240563781.exe	notpad.exe
PID 2536 wrote to memory of 1044	2536	tmp240563781.exe	notpad.exe
PID 1044 wrote to memory of 5036	1044	notpad.exe	tmp240564468.exe
PID 1044 wrote to memory of 5036	1044	notpad.exe	tmp240564468.exe
PID 1044 wrote to memory of 5036	1044	notpad.exe	tmp240564468.exe
PID 1044 wrote to memory of 2892	1044	notpad.exe	tmp240564515.exe
PID 1044 wrote to memory of 2892	1044	notpad.exe	tmp240564515.exe
PID 1044 wrote to memory of 2892	1044	notpad.exe	tmp240564515.exe
PID 5036 wrote to memory of 4116	5036	tmp240564468.exe	notpad.exe
PID 5036 wrote to memory of 4116	5036	tmp240564468.exe	notpad.exe
PID 5036 wrote to memory of 4116	5036	tmp240564468.exe	notpad.exe
PID 4116 wrote to memory of 4540	4116	notpad.exe	tmp240564812.exe
PID 4116 wrote to memory of 4540	4116	notpad.exe	tmp240564812.exe
PID 4116 wrote to memory of 4540	4116	notpad.exe	tmp240564812.exe
PID 4116 wrote to memory of 4404	4116	notpad.exe	tmp240564859.exe
PID 4116 wrote to memory of 4404	4116	notpad.exe	tmp240564859.exe
PID 4116 wrote to memory of 4404	4116	notpad.exe	tmp240564859.exe
PID 4540 wrote to memory of 4244	4540	tmp240564812.exe	notpad.exe
PID 4540 wrote to memory of 4244	4540	tmp240564812.exe	notpad.exe
PID 4540 wrote to memory of 4244	4540	tmp240564812.exe	notpad.exe
PID 4244 wrote to memory of 2492	4244	notpad.exe	tmp240565109.exe
PID 4244 wrote to memory of 2492	4244	notpad.exe	tmp240565109.exe
PID 4244 wrote to memory of 2492	4244	notpad.exe	tmp240565109.exe
PID 4244 wrote to memory of 2292	4244	notpad.exe	tmp240565171.exe
PID 4244 wrote to memory of 2292	4244	notpad.exe	tmp240565171.exe
PID 4244 wrote to memory of 2292	4244	notpad.exe	tmp240565171.exe
PID 2492 wrote to memory of 3128	2492	tmp240565109.exe	notpad.exe
PID 2492 wrote to memory of 3128	2492	tmp240565109.exe	notpad.exe
PID 2492 wrote to memory of 3128	2492	tmp240565109.exe	notpad.exe
PID 3128 wrote to memory of 4624	3128	notpad.exe	tmp240565406.exe
PID 3128 wrote to memory of 4624	3128	notpad.exe	tmp240565406.exe
PID 3128 wrote to memory of 4624	3128	notpad.exe	tmp240565406.exe
PID 3128 wrote to memory of 1484	3128	notpad.exe	tmp240565484.exe
PID 3128 wrote to memory of 1484	3128	notpad.exe	tmp240565484.exe
PID 3128 wrote to memory of 1484	3128	notpad.exe	tmp240565484.exe
PID 4624 wrote to memory of 1988	4624	tmp240565406.exe	notpad.exe
PID 4624 wrote to memory of 1988	4624	tmp240565406.exe	notpad.exe
PID 4624 wrote to memory of 1988	4624	tmp240565406.exe	notpad.exe
PID 1988 wrote to memory of 3860	1988	notpad.exe	tmp240565671.exe
PID 1988 wrote to memory of 3860	1988	notpad.exe	tmp240565671.exe
PID 1988 wrote to memory of 3860	1988	notpad.exe	tmp240565671.exe
PID 1988 wrote to memory of 1888	1988	notpad.exe	tmp240565703.exe
PID 1988 wrote to memory of 1888	1988	notpad.exe	tmp240565703.exe
PID 1988 wrote to memory of 1888	1988	notpad.exe	tmp240565703.exe
PID 3860 wrote to memory of 3528	3860	tmp240565671.exe	notpad.exe
PID 3860 wrote to memory of 3528	3860	tmp240565671.exe	notpad.exe
PID 3860 wrote to memory of 3528	3860	tmp240565671.exe	notpad.exe
PID 3528 wrote to memory of 5056	3528	notpad.exe	tmp240566171.exe

C:\Users\Admin\AppData\Local\Temp\3f65dcd791f2a29eb9b71e5b0e284bff3e97d221764b64d55d72582239acde8c.exe
"C:\Users\Admin\AppData\Local\Temp\3f65dcd791f2a29eb9b71e5b0e284bff3e97d221764b64d55d72582239acde8c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2252

C:\Users\Admin\AppData\Local\Temp\tmp240562078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240562078.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1376

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4928

C:\Users\Admin\AppData\Local\Temp\tmp240563781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240563781.exe
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2536

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1044

C:\Users\Admin\AppData\Local\Temp\tmp240564468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240564468.exe
6⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5036

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4116

C:\Users\Admin\AppData\Local\Temp\tmp240564812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240564812.exe
8⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4540

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4244

C:\Users\Admin\AppData\Local\Temp\tmp240565109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240565109.exe
10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2492

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3128

C:\Users\Admin\AppData\Local\Temp\tmp240565406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240565406.exe
12⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4624

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1988

C:\Users\Admin\AppData\Local\Temp\tmp240565671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240565671.exe
14⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3528

C:\Users\Admin\AppData\Local\Temp\tmp240566171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240566171.exe
16⤵
- Executes dropped EXE
PID:5056

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
17⤵
- Executes dropped EXE
PID:432

C:\Users\Admin\AppData\Local\Temp\tmp240566656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240566656.exe
18⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1592

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
19⤵
- Executes dropped EXE
PID:3024

C:\Users\Admin\AppData\Local\Temp\tmp240567062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240567062.exe
20⤵
- Executes dropped EXE
- Checks computer location settings
PID:3080

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
21⤵
- Executes dropped EXE
PID:4296

C:\Users\Admin\AppData\Local\Temp\tmp240567437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240567437.exe
22⤵
- Executes dropped EXE
- Modifies registry class
PID:4564

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
23⤵
- Executes dropped EXE
PID:764

C:\Users\Admin\AppData\Local\Temp\tmp240567921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240567921.exe
24⤵
- Executes dropped EXE
PID:5092

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
25⤵
- Executes dropped EXE
PID:3496

C:\Users\Admin\AppData\Local\Temp\tmp240568140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240568140.exe
26⤵
- Executes dropped EXE
PID:2040

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
27⤵
- Executes dropped EXE
PID:5008

C:\Users\Admin\AppData\Local\Temp\tmp240568375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240568375.exe
28⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4868

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
29⤵
- Executes dropped EXE
PID:508

C:\Users\Admin\AppData\Local\Temp\tmp240568703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240568703.exe
30⤵
- Executes dropped EXE
- Modifies registry class
PID:4932

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
31⤵
- Executes dropped EXE
PID:4000

C:\Users\Admin\AppData\Local\Temp\tmp240569000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240569000.exe
32⤵
- Executes dropped EXE
PID:3464

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
33⤵
- Executes dropped EXE
PID:4148

C:\Users\Admin\AppData\Local\Temp\tmp240569250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240569250.exe
34⤵
- Executes dropped EXE
PID:1308

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
35⤵
- Executes dropped EXE
PID:3292

C:\Users\Admin\AppData\Local\Temp\tmp240569531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240569531.exe
36⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:4844

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
37⤵
- Executes dropped EXE
PID:2564

C:\Users\Admin\AppData\Local\Temp\tmp240569765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240569765.exe
38⤵
- Executes dropped EXE
- Modifies registry class
PID:4848

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
39⤵
- Executes dropped EXE
PID:4028

C:\Users\Admin\AppData\Local\Temp\tmp240570015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240570015.exe
40⤵
- Executes dropped EXE
- Modifies registry class
PID:4264

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
41⤵
- Executes dropped EXE
PID:3352

C:\Users\Admin\AppData\Local\Temp\tmp240589140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240589140.exe
42⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:260

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
43⤵
- Executes dropped EXE
PID:2892

C:\Users\Admin\AppData\Local\Temp\tmp240590078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240590078.exe
44⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1420

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
45⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\tmp240590281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240590281.exe
46⤵
- Drops file in System32 directory
- Modifies registry class
PID:2248

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
47⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\tmp240590531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240590531.exe
48⤵
- Modifies registry class
PID:3256

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
49⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\tmp240591765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240591765.exe
50⤵
PID:3128

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
51⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\tmp240592000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240592000.exe
52⤵
PID:2796

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
53⤵
PID:364

C:\Users\Admin\AppData\Local\Temp\tmp240592281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240592281.exe
54⤵
- Modifies registry class
PID:3556

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
55⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\tmp240593546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240593546.exe
56⤵
PID:2168

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
57⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\tmp240593765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240593765.exe
58⤵
- Drops file in System32 directory
PID:392

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
59⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\tmp240593984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240593984.exe
60⤵
- Drops file in System32 directory
- Modifies registry class
PID:1592

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
61⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\tmp240605000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240605000.exe
62⤵
- Checks computer location settings
- Modifies registry class
PID:4300

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
63⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\tmp240605718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240605718.exe
64⤵
- Drops file in System32 directory
- Modifies registry class
PID:4564

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
65⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\tmp240606187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606187.exe
66⤵
PID:1444

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
67⤵
PID:3628

C:\Users\Admin\AppData\Local\Temp\tmp240606531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606531.exe
68⤵
- Modifies registry class
PID:5064

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
69⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\tmp240606734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606734.exe
70⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:2800

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
71⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\tmp240607031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607031.exe
72⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3356

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
73⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\tmp240607390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607390.exe
74⤵
- Drops file in System32 directory
PID:2672

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
75⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\tmp240607750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607750.exe
76⤵
- Checks computer location settings
- Modifies registry class
PID:5096

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
77⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\tmp240608109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240608109.exe
78⤵
- Modifies registry class
PID:1164

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
79⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\tmp240608328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240608328.exe
80⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3928

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
81⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\tmp240608687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240608687.exe
82⤵
- Drops file in System32 directory
PID:4836

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
83⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\tmp240608906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240608906.exe
84⤵
- Checks computer location settings
- Modifies registry class
PID:2564

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
85⤵
PID:4928

C:\Users\Admin\AppData\Local\Temp\tmp240609265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240609265.exe
86⤵
- Checks computer location settings
PID:2536

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
87⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\tmp240609640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240609640.exe
88⤵
- Drops file in System32 directory
PID:4404

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
89⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\tmp240610031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610031.exe
90⤵
- Checks computer location settings
- Modifies registry class
PID:2488

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
91⤵
PID:4560

C:\Users\Admin\AppData\Local\Temp\tmp240611234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240611234.exe
92⤵
- Checks computer location settings
- Modifies registry class
PID:3256

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
93⤵
PID:4624

C:\Users\Admin\AppData\Local\Temp\tmp240611531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240611531.exe
94⤵
- Modifies registry class
PID:1888

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
95⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\tmp240611843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240611843.exe
96⤵
- Checks computer location settings
PID:2784

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
97⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\tmp240612109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240612109.exe
98⤵
- Modifies registry class
PID:5056

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
99⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\tmp240612359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240612359.exe
100⤵
PID:460

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
101⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\tmp240612609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240612609.exe
102⤵
PID:3024

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
103⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\tmp240612843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240612843.exe
104⤵
PID:4396

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
105⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\tmp240613015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240613015.exe
106⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3104

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
107⤵
PID:856

C:\Users\Admin\AppData\Local\Temp\tmp240613218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240613218.exe
108⤵
- Checks computer location settings
PID:4280

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
109⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\tmp240613515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240613515.exe
110⤵
PID:1360

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
111⤵
PID:1724

C:\Users\Admin\AppData\Local\Temp\tmp240613750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240613750.exe
112⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2832

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
113⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\tmp240613937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240613937.exe
114⤵
PID:4088

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
115⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\tmp240614140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614140.exe
116⤵
- Modifies registry class
PID:1616

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
117⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\tmp240614328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614328.exe
118⤵
PID:4304

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
119⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\tmp240614531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614531.exe
120⤵
- Drops file in System32 directory
PID:3916

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
121⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\tmp240614765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614765.exe
122⤵
- Checks computer location settings
PID:4424

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
123⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\tmp240614953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614953.exe
124⤵
- Checks computer location settings
PID:4848

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
125⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\tmp240615140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615140.exe
126⤵
PID:4040

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
127⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\tmp240615312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615312.exe
128⤵
- Drops file in System32 directory
PID:3352

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
129⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\tmp240615515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615515.exe
130⤵
PID:4704

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
131⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\tmp240615687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615687.exe
132⤵
PID:4348

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
133⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\tmp240615875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615875.exe
134⤵
- Drops file in System32 directory
- Modifies registry class
PID:1464

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
135⤵
PID:3096

C:\Users\Admin\AppData\Local\Temp\tmp240616046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616046.exe
136⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4960

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
137⤵
PID:3460

C:\Users\Admin\AppData\Local\Temp\tmp240616250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616250.exe
138⤵
- Checks computer location settings
- Modifies registry class
PID:4756

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
139⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\tmp240616453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616453.exe
140⤵
- Modifies registry class
PID:2560

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
141⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\tmp240616671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616671.exe
142⤵
- Modifies registry class
PID:5004

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
143⤵
PID:4648

C:\Users\Admin\AppData\Local\Temp\tmp240617312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617312.exe
144⤵
- Drops file in System32 directory
- Modifies registry class
PID:4396

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
145⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\tmp240617984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617984.exe
146⤵
- Checks computer location settings
- Modifies registry class
PID:5060

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
147⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\tmp240618109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618109.exe
148⤵
- Checks computer location settings
- Modifies registry class
PID:2160

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
149⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\tmp240618500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618500.exe
150⤵
- Checks computer location settings
PID:1176

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
151⤵
PID:1692

C:\Users\Admin\AppData\Local\Temp\tmp240641156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641156.exe
152⤵
- Checks computer location settings
PID:3436

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
153⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\tmp240647390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240647390.exe
154⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3656

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
155⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\tmp240652171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652171.exe
156⤵
PID:1876

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
157⤵
PID:1116

C:\Users\Admin\AppData\Local\Temp\tmp240652312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652312.exe
158⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2584

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
159⤵
PID:260

C:\Users\Admin\AppData\Local\Temp\tmp240652953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652953.exe
160⤵
- Modifies registry class
PID:4116

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
161⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\tmp240653875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240653875.exe
162⤵
PID:3392

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
163⤵
PID:532

C:\Users\Admin\AppData\Local\Temp\tmp240654093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240654093.exe
164⤵
- Checks computer location settings
PID:916

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
165⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\tmp240654375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240654375.exe
166⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\tmp240654531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240654531.exe
166⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\tmp240654640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240654640.exe
167⤵
PID:3324

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
168⤵
PID:3800

C:\Users\Admin\AppData\Local\Temp\tmp240655031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240655031.exe
169⤵
PID:3804

C:\Users\Admin\AppData\Local\Temp\tmp240655046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240655046.exe
169⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\tmp240655078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240655078.exe
170⤵
- Checks computer location settings
PID:4340

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
171⤵
PID:4016

C:\Users\Admin\AppData\Local\Temp\tmp240655265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240655265.exe
172⤵
- Drops file in System32 directory
PID:3336

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
173⤵
PID:3492

C:\Users\Admin\AppData\Local\Temp\tmp240655453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240655453.exe
174⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\tmp240655593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240655593.exe
174⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\tmp240655656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240655656.exe
175⤵
PID:5064

C:\Users\Admin\AppData\Local\Temp\tmp240655671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240655671.exe
175⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\tmp240655703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240655703.exe
176⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\tmp240655734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240655734.exe
176⤵
PID:4516

C:\Users\Admin\AppData\Local\Temp\tmp240655281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240655281.exe
172⤵
PID:2728

C:\Users\Admin\AppData\Local\Temp\tmp240655328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240655328.exe
173⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\tmp240655359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240655359.exe
173⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\tmp240655421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240655421.exe
174⤵
PID:5092

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
175⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\tmp240655828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240655828.exe
176⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\tmp240655843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240655843.exe
177⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\tmp240655859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240655859.exe
177⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\tmp240655906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240655906.exe
178⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\tmp240656062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240656062.exe
178⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\tmp240655812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240655812.exe
176⤵
- Checks computer location settings
PID:2444

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
177⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\tmp240656125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240656125.exe
178⤵
- Checks computer location settings
PID:2672

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
179⤵
PID:1732

C:\Users\Admin\AppData\Local\Temp\tmp240656500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240656500.exe
180⤵
PID:2452

C:\Users\Admin\AppData\Local\Temp\tmp240656531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240656531.exe
180⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\tmp240656593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240656593.exe
181⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\tmp240656640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240656640.exe
181⤵
PID:3928

C:\Users\Admin\AppData\Local\Temp\tmp240656703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240656703.exe
182⤵
PID:1164

C:\Users\Admin\AppData\Local\Temp\tmp240656734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240656734.exe
182⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\tmp240656250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240656250.exe
178⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\tmp240656343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240656343.exe
179⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\tmp240656406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240656406.exe
179⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\tmp240656468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240656468.exe
180⤵
- Checks computer location settings
PID:1604

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
181⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\tmp240656718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240656718.exe
182⤵
- Modifies registry class
PID:1224

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
183⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\tmp240657109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240657109.exe
184⤵
PID:2564

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
185⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\tmp240657359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240657359.exe
186⤵
PID:320

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
187⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\tmp240657640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240657640.exe
188⤵
PID:932

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
189⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\tmp240657968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240657968.exe
190⤵
- Checks computer location settings
- Modifies registry class
PID:1888

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
191⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\tmp240658343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240658343.exe
192⤵
- Drops file in System32 directory
PID:4664

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
193⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\tmp240658593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240658593.exe
194⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1720

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
195⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\tmp240658906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240658906.exe
196⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4400

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
197⤵
PID:4204

C:\Users\Admin\AppData\Local\Temp\tmp240659171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659171.exe
198⤵
PID:4280

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
199⤵
PID:5092

C:\Users\Admin\AppData\Local\Temp\tmp240659390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659390.exe
200⤵
- Drops file in System32 directory
- Modifies registry class
PID:3932

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
201⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\tmp240659609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659609.exe
202⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4000

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
203⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\tmp240659812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659812.exe
204⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:668

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
205⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\tmp240660234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240660234.exe
206⤵
- Drops file in System32 directory
PID:1752

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
207⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\tmp240660421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240660421.exe
208⤵
- Drops file in System32 directory
PID:372

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
209⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\tmp240660625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240660625.exe
210⤵
- Checks computer location settings
- Modifies registry class
PID:1524

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
211⤵
PID:552

C:\Users\Admin\AppData\Local\Temp\tmp240660812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240660812.exe
212⤵
- Checks computer location settings
PID:1432

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
213⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\tmp240661046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240661046.exe
214⤵
PID:2068

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
215⤵
PID:4828

C:\Users\Admin\AppData\Local\Temp\tmp240661406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240661406.exe
216⤵
- Drops file in System32 directory
- Modifies registry class
PID:4780

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
217⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\tmp240662140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240662140.exe
218⤵
- Checks computer location settings
PID:1612

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
219⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\tmp240662406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240662406.exe
220⤵
PID:4648

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
221⤵
PID:2728

C:\Users\Admin\AppData\Local\Temp\tmp240662687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240662687.exe
222⤵
- Checks computer location settings
PID:4900

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
223⤵
PID:4120

C:\Users\Admin\AppData\Local\Temp\tmp240662968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240662968.exe
224⤵
- Drops file in System32 directory
PID:3652

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
225⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\tmp240663375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663375.exe
226⤵
PID:4160

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
227⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\tmp240663562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663562.exe
228⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\tmp240663578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663578.exe
228⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\tmp240663640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663640.exe
229⤵
PID:3928

C:\Users\Admin\AppData\Local\Temp\tmp240663656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663656.exe
229⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\tmp240663703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663703.exe
230⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\tmp240663718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663718.exe
230⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\tmp240663750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663750.exe
231⤵
PID:1672

C:\Users\Admin\AppData\Local\Temp\tmp240663828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663828.exe
231⤵
PID:112

C:\Users\Admin\AppData\Local\Temp\tmp240663390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663390.exe
226⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\tmp240663421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663421.exe
227⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\tmp240663437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663437.exe
227⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\tmp240663500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663500.exe
228⤵
PID:2996

C:\Users\Admin\AppData\Local\Temp\tmp240663515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663515.exe
228⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\tmp240663546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663546.exe
229⤵
- Modifies registry class
PID:4000

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
230⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\tmp240663765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663765.exe
231⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:5020

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
232⤵
PID:1420

C:\Users\Admin\AppData\Local\Temp\tmp240663984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663984.exe
233⤵
PID:4680

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
234⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\tmp240664187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664187.exe
235⤵
PID:4496

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
236⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\tmp240664406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664406.exe
237⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\tmp240664421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664421.exe
237⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\tmp240664515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664515.exe
238⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\tmp240664546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664546.exe
238⤵
PID:1900

C:\Users\Admin\AppData\Local\Temp\tmp240664578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664578.exe
239⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\tmp240664593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664593.exe
239⤵
PID:3896

C:\Users\Admin\AppData\Local\Temp\tmp240664671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664671.exe
240⤵
PID:672

C:\Users\Admin\AppData\Local\Temp\tmp240664781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664781.exe
240⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\tmp240664203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664203.exe
235⤵
PID:2488

C:\Users\Admin\AppData\Local\Temp\tmp240664296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664296.exe
236⤵
PID:1912

C:\Users\Admin\AppData\Local\Temp\tmp240664312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664312.exe
236⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\tmp240664390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664390.exe
237⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4752

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
238⤵
PID:2316

C:\Users\Admin\AppData\Local\Temp\tmp240664609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664609.exe
239⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4228

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
240⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\tmp240664937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664937.exe
241⤵
PID:828

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
242⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\tmp240665125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665125.exe
243⤵
- Drops file in System32 directory
- Modifies registry class
PID:4272

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
244⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\tmp240665312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665312.exe
245⤵
PID:3760

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
246⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\tmp240665484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665484.exe
247⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3932

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
248⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\tmp240665750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665750.exe
249⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\tmp240665796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665796.exe
250⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\tmp240665812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665812.exe
250⤵
PID:2452

C:\Users\Admin\AppData\Local\Temp\tmp240665843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665843.exe
251⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\tmp240665859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665859.exe
251⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\tmp240665890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665890.exe
252⤵
- Checks computer location settings
- Modifies registry class
PID:4684

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
253⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\tmp240666078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666078.exe
254⤵
PID:3688

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
255⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\tmp240666281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666281.exe
256⤵
PID:3096

C:\Users\Admin\AppData\Local\Temp\tmp240666296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666296.exe
256⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\tmp240666343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666343.exe
257⤵
PID:632

C:\Users\Admin\AppData\Local\Temp\tmp240666375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666375.exe
257⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\tmp240666421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666421.exe
258⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\tmp240666437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666437.exe
258⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\tmp240666468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666468.exe
259⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\tmp240666500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666500.exe
259⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\tmp240668531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668531.exe
256⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\tmp240666109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666109.exe
254⤵
PID:4156

C:\Users\Admin\AppData\Local\Temp\tmp240666156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666156.exe
255⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\tmp240666187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666187.exe
255⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\tmp240666218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666218.exe
256⤵
PID:1992

C:\Users\Admin\AppData\Local\Temp\tmp240666234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666234.exe
256⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\tmp240666265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666265.exe
257⤵
PID:4560

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
258⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\tmp240666484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666484.exe
259⤵
- Checks computer location settings
PID:4252

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
260⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\tmp240666687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666687.exe
261⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\tmp240666765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666765.exe
261⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\tmp240666812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666812.exe
262⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\tmp240666828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666828.exe
262⤵
PID:3732

C:\Users\Admin\AppData\Local\Temp\tmp240666859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666859.exe
263⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\tmp240666890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666890.exe
263⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\tmp240666921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666921.exe
264⤵
PID:3284

C:\Users\Admin\AppData\Local\Temp\tmp240666984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666984.exe
264⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\tmp240666515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666515.exe
259⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\tmp240666562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666562.exe
260⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\tmp240666578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666578.exe
260⤵
PID:2336

C:\Users\Admin\AppData\Local\Temp\tmp240666625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666625.exe
261⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\tmp240666640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666640.exe
261⤵
PID:5088

C:\Users\Admin\AppData\Local\Temp\tmp240666671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666671.exe
262⤵
- Checks computer location settings
- Modifies registry class
PID:3068

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
263⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\tmp240666875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666875.exe
264⤵
PID:4016

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
265⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\tmp240667078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667078.exe
266⤵
PID:3680

C:\Users\Admin\AppData\Local\Temp\tmp240667093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667093.exe
266⤵
PID:3452

C:\Users\Admin\AppData\Local\Temp\tmp240667125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667125.exe
267⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\tmp240667265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667265.exe
267⤵
PID:2728

C:\Users\Admin\AppData\Local\Temp\tmp240667343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667343.exe
268⤵
PID:3496

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
269⤵
PID:4180

C:\Users\Admin\AppData\Local\Temp\tmp240667625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667625.exe
270⤵
PID:5016

C:\Users\Admin\AppData\Local\Temp\tmp240667671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667671.exe
270⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\tmp240667703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667703.exe
271⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\tmp240667734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667734.exe
271⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\tmp240667781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667781.exe
272⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:2696

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
273⤵
PID:112

C:\Users\Admin\AppData\Local\Temp\tmp240668125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668125.exe
274⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\tmp240668140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668140.exe
274⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\tmp240668156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668156.exe
275⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\tmp240668171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668171.exe
275⤵
PID:2804

C:\Users\Admin\AppData\Local\Temp\tmp240668218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668218.exe
276⤵
PID:5020

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
277⤵
PID:4148

C:\Users\Admin\AppData\Local\Temp\tmp240668437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668437.exe
278⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\tmp240668484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668484.exe
278⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\tmp240668593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668593.exe
279⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\tmp240668609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668609.exe
280⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\tmp240668640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668640.exe
280⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\tmp240668671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668671.exe
281⤵
PID:1640

C:\Users\Admin\AppData\Local\Temp\tmp240668734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668734.exe
281⤵
PID:5104

C:\Users\Admin\AppData\Local\Temp\tmp240668234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668234.exe
276⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\tmp240668250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668250.exe
277⤵
PID:3196

C:\Users\Admin\AppData\Local\Temp\tmp240668281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668281.exe
277⤵
PID:3100

C:\Users\Admin\AppData\Local\Temp\tmp240667843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667843.exe
272⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\tmp240667906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667906.exe
273⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\tmp240667953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667953.exe
273⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\tmp240667406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667406.exe
268⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\tmp240667437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667437.exe
269⤵
PID:4120

C:\Users\Admin\AppData\Local\Temp\tmp240667468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667468.exe
269⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\tmp240666906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666906.exe
264⤵
PID:720

C:\Users\Admin\AppData\Local\Temp\tmp240666953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666953.exe
265⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\tmp240667031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667031.exe
265⤵
PID:3360

C:\Users\Admin\AppData\Local\Temp\tmp240667062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667062.exe
266⤵
- Checks computer location settings
- Drops file in System32 directory
PID:5060

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
267⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\tmp240667359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667359.exe
268⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\tmp240667390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667390.exe
268⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\tmp240667453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667453.exe
269⤵
PID:4136

C:\Users\Admin\AppData\Local\Temp\tmp240667484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667484.exe
269⤵
- Modifies registry class
PID:3760

C:\Users\Admin\AppData\Local\Temp\tmp240667531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667531.exe
270⤵
- Modifies registry class
PID:3292

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
271⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\tmp240667812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667812.exe
272⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\tmp240667828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667828.exe
272⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\tmp240667937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667937.exe
273⤵
PID:3388

C:\Users\Admin\AppData\Local\Temp\tmp240667984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667984.exe
273⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\tmp240668015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668015.exe
274⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\tmp240668031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668031.exe
274⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\tmp240668062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668062.exe
275⤵
- Checks computer location settings
- Modifies registry class
PID:1664

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
276⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\tmp240668296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668296.exe
277⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\tmp240668343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668343.exe
277⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\tmp240668359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668359.exe
278⤵
PID:260

C:\Users\Admin\AppData\Local\Temp\tmp240668390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668390.exe
278⤵
PID:536

C:\Users\Admin\AppData\Local\Temp\tmp240668421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668421.exe
279⤵
- Drops file in System32 directory
- Modifies registry class
PID:1992

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
280⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\tmp240668687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668687.exe
281⤵
- Drops file in System32 directory
PID:4748

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
282⤵
PID:4804

C:\Users\Admin\AppData\Local\Temp\tmp240668890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668890.exe
283⤵
- Checks computer location settings
- Modifies registry class
PID:932

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
284⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\tmp240669109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669109.exe
285⤵
PID:3284

C:\Users\Admin\AppData\Local\Temp\tmp240669125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669125.exe
285⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\tmp240669140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669140.exe
286⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\tmp240669250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669250.exe
286⤵
PID:3024

C:\Users\Admin\AppData\Local\Temp\tmp240669265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669265.exe
287⤵
PID:3628

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
288⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\tmp240669546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669546.exe
289⤵
- Drops file in System32 directory
- Modifies registry class
PID:1896

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
290⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\tmp240669703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669703.exe
291⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\tmp240669734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669734.exe
291⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\tmp240669765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669765.exe
292⤵
PID:1032

C:\Users\Admin\AppData\Local\Temp\tmp240669796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669796.exe
292⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\tmp240669828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669828.exe
293⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\tmp240669859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669859.exe
293⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\tmp240669890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669890.exe
294⤵
- Drops file in System32 directory
PID:684

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
295⤵
PID:3916

C:\Users\Admin\AppData\Local\Temp\tmp240670140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240670140.exe
296⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\tmp240682906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240682906.exe
296⤵
PID:3328

C:\Users\Admin\AppData\Local\Temp\tmp240683000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240683000.exe
297⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\tmp240683031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240683031.exe
297⤵
PID:3040

C:\Users\Admin\AppData\Local\Temp\tmp240683093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240683093.exe
298⤵
PID:2484

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
299⤵
PID:2392

C:\Users\Admin\AppData\Local\Temp\tmp240683515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240683515.exe
300⤵
- Modifies registry class
PID:2388

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
301⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\tmp240684078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684078.exe
302⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:2168

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
303⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\tmp240684359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684359.exe
304⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\tmp240684375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684375.exe
304⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\tmp240684421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684421.exe
305⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\tmp240684546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684546.exe
305⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\tmp240684578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684578.exe
306⤵
PID:456

C:\Users\Admin\AppData\Local\Temp\tmp240684593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684593.exe
306⤵
PID:204

C:\Users\Admin\AppData\Local\Temp\tmp240684750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684750.exe
307⤵
PID:3024

C:\Users\Admin\AppData\Local\Temp\tmp240684812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684812.exe
307⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\tmp240684140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684140.exe
302⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\tmp240684218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684218.exe
303⤵
PID:4252

C:\Users\Admin\AppData\Local\Temp\tmp240684234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684234.exe
303⤵
PID:392

C:\Users\Admin\AppData\Local\Temp\tmp240684296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684296.exe
304⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\tmp240684312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684312.exe
304⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\tmp240684343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684343.exe
305⤵
- Checks computer location settings
- Modifies registry class
PID:4804

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
306⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\tmp240684609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684609.exe
307⤵
- Drops file in System32 directory
PID:4688

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
308⤵
PID:2824

C:\Users\Admin\AppData\Local\Temp\tmp240684875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684875.exe
309⤵
PID:2608

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
310⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\tmp240685093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685093.exe
311⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\tmp240685109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685109.exe
311⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\tmp240685156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685156.exe
312⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\tmp240685171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685171.exe
312⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\tmp240685250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685250.exe
313⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\tmp240685265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685265.exe
313⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\tmp240685484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685484.exe
314⤵
PID:2176

C:\Users\Admin\AppData\Local\Temp\tmp240685734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685734.exe
314⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\tmp240685796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685796.exe
315⤵
PID:260

C:\Users\Admin\AppData\Local\Temp\tmp240686046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240686046.exe
315⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\tmp240684953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684953.exe
309⤵
PID:4280

C:\Users\Admin\AppData\Local\Temp\tmp240684968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684968.exe
310⤵
PID:2312

C:\Users\Admin\AppData\Local\Temp\tmp240685000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685000.exe
310⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\tmp240685031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685031.exe
311⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\tmp240685046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685046.exe
311⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\tmp240685078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685078.exe
312⤵
- Checks computer location settings
PID:1360

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
313⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\tmp240685281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685281.exe
314⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\tmp240685296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685296.exe
314⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\tmp240685406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685406.exe
315⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\tmp240685515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685515.exe
315⤵
PID:2896

C:\Users\Admin\AppData\Local\Temp\tmp240685531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685531.exe
316⤵
PID:3440

C:\Users\Admin\AppData\Local\Temp\tmp240685546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685546.exe
316⤵
PID:3664

C:\Users\Admin\AppData\Local\Temp\tmp240685562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685562.exe
317⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\tmp240685578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685578.exe
317⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\tmp240685609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685609.exe
318⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\tmp240685625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685625.exe
318⤵
PID:4244

C:\Users\Admin\AppData\Local\Temp\tmp240685187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685187.exe
312⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\tmp240685203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685203.exe
313⤵
- Checks computer location settings
PID:4760

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
314⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\tmp240685500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685500.exe
315⤵
- Modifies registry class
PID:924

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
316⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\tmp240685718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685718.exe
317⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\tmp240685750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685750.exe
317⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\tmp240685781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685781.exe
318⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\tmp240685812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685812.exe
318⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\tmp240686062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240686062.exe
319⤵
PID:3688

C:\Users\Admin\AppData\Local\Temp\tmp240686171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240686171.exe
319⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\tmp240686312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240686312.exe
320⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\tmp240686375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240686375.exe
320⤵
PID:4724

C:\Users\Admin\AppData\Local\Temp\tmp240686390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240686390.exe
321⤵
PID:3232

C:\Users\Admin\AppData\Local\Temp\tmp240686406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240686406.exe
321⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\tmp240685671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685671.exe
315⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\tmp240685703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685703.exe
316⤵
- Drops file in System32 directory
PID:2252

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
317⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\tmp240686218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240686218.exe
318⤵
- Checks computer location settings
PID:4984

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
319⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\tmp240686468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240686468.exe
320⤵
- Modifies registry class
PID:4860

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
321⤵
PID:3776

C:\Users\Admin\AppData\Local\Temp\tmp240687062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240687062.exe
322⤵
PID:2336

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
323⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\tmp240707375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240707375.exe
324⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\tmp240707500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240707500.exe
324⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\tmp240707609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240707609.exe
325⤵
PID:4224

C:\Users\Admin\AppData\Local\Temp\tmp240707656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240707656.exe
325⤵
PID:3680

C:\Users\Admin\AppData\Local\Temp\tmp240707890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240707890.exe
326⤵
PID:856

C:\Users\Admin\AppData\Local\Temp\tmp240707968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240707968.exe
327⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\tmp240708140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708140.exe
327⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\tmp240707859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240707859.exe
326⤵
PID:4164

C:\Users\Admin\AppData\Local\Temp\tmp240687156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240687156.exe
322⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\tmp240707421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240707421.exe
323⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\tmp240707578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240707578.exe
323⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\tmp240707671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240707671.exe
324⤵
- Checks computer location settings
PID:4544

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
325⤵
PID:2996

C:\Users\Admin\AppData\Local\Temp\tmp240708281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708281.exe
326⤵
- Checks computer location settings
- Modifies registry class
PID:620

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
327⤵
PID:3272

C:\Users\Admin\AppData\Local\Temp\tmp240708468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708468.exe
328⤵
PID:3944

C:\Users\Admin\AppData\Local\Temp\tmp240708546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708546.exe
328⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\tmp240708593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708593.exe
329⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\tmp240708656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708656.exe
329⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\tmp240708671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708671.exe
330⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\tmp240708718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708718.exe
330⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\tmp240708875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708875.exe
331⤵
PID:616

C:\Users\Admin\AppData\Local\Temp\tmp240708890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708890.exe
331⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\tmp240708953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708953.exe
332⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\tmp240708984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708984.exe
332⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\tmp240708296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708296.exe
326⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\tmp240708375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708375.exe
327⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\tmp240708406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708406.exe
327⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\tmp240708453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708453.exe
328⤵
PID:3928

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
329⤵
PID:3456

C:\Users\Admin\AppData\Local\Temp\tmp240708812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708812.exe
330⤵
PID:3916

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
331⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\tmp240709078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709078.exe
332⤵
PID:2612

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
333⤵
PID:2988

C:\Users\Admin\AppData\Local\Temp\tmp240709312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709312.exe
334⤵
PID:2572

C:\Users\Admin\AppData\Local\Temp\tmp240709359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709359.exe
334⤵
PID:3232

C:\Users\Admin\AppData\Local\Temp\tmp240709406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709406.exe
335⤵
PID:3392

C:\Users\Admin\AppData\Local\Temp\tmp240709453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709453.exe
335⤵
PID:632

C:\Users\Admin\AppData\Local\Temp\tmp240709531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709531.exe
336⤵
PID:4404

C:\Users\Admin\AppData\Local\Temp\tmp240709562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709562.exe
336⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\tmp240709593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709593.exe
337⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\tmp240709625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709625.exe
337⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\tmp240709640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709640.exe
338⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\tmp240709671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709671.exe
338⤵
PID:4692

C:\Users\Admin\AppData\Local\Temp\tmp240709171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709171.exe
332⤵
PID:1328

C:\Users\Admin\AppData\Local\Temp\tmp240709187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709187.exe
333⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\tmp240709218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709218.exe
333⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\tmp240709265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709265.exe
334⤵
PID:444

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
335⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\tmp240709484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709484.exe
336⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\tmp240709500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709500.exe
336⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\tmp240709546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709546.exe
337⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\tmp240709703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709703.exe
337⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\tmp240709734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709734.exe
338⤵
PID:2224

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
339⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\tmp240709937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709937.exe
340⤵
PID:4828

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
341⤵
PID:1668

C:\Users\Admin\AppData\Local\Temp\tmp240710296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710296.exe
342⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\tmp240710312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710312.exe
342⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\tmp240710359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710359.exe
343⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\tmp240710390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710390.exe
343⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\tmp240710453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710453.exe
344⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\tmp240710515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710515.exe
344⤵
PID:5064

C:\Users\Admin\AppData\Local\Temp\tmp240710578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710578.exe
345⤵
PID:408

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
346⤵
PID:3484

C:\Users\Admin\AppData\Local\Temp\tmp240710796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710796.exe
347⤵
PID:4188

C:\Users\Admin\AppData\Local\Temp\tmp240710593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710593.exe
345⤵
PID:3292

C:\Users\Admin\AppData\Local\Temp\tmp240710656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710656.exe
346⤵
PID:644

C:\Users\Admin\AppData\Local\Temp\tmp240710687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710687.exe
346⤵
PID:3568

C:\Users\Admin\AppData\Local\Temp\tmp240709953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709953.exe
340⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\tmp240710031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710031.exe
341⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\tmp240710093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710093.exe
341⤵
PID:3808

C:\Users\Admin\AppData\Local\Temp\tmp240710187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710187.exe
342⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\tmp240710265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710265.exe
342⤵
PID:3540

C:\Users\Admin\AppData\Local\Temp\tmp240710375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710375.exe
343⤵
PID:3680

C:\Users\Admin\AppData\Local\Temp\tmp240710468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710468.exe
343⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\tmp240710500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710500.exe
344⤵
PID:2516

C:\Users\Admin\AppData\Local\Temp\tmp240710531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710531.exe
344⤵
PID:3752

C:\Users\Admin\AppData\Local\Temp\tmp240709781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709781.exe
338⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\tmp240709843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709843.exe
339⤵
PID:4448

C:\Users\Admin\AppData\Local\Temp\tmp240709890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709890.exe
339⤵
PID:1888

C:\Users\Admin\AppData\Local\Temp\tmp240709968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709968.exe
340⤵
PID:3492

C:\Users\Admin\AppData\Local\Temp\tmp240710125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710125.exe
340⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\tmp240709328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709328.exe
334⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\tmp240709375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709375.exe
335⤵
PID:3256

C:\Users\Admin\AppData\Local\Temp\tmp240709421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709421.exe
335⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\tmp240709468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709468.exe
336⤵
PID:1460

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
337⤵
PID:792

C:\Users\Admin\AppData\Local\Temp\tmp240709796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709796.exe
338⤵
PID:1932

C:\Users\Admin\AppData\Local\Temp\tmp240709828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709828.exe
338⤵
PID:3672

C:\Users\Admin\AppData\Local\Temp\tmp240709875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709875.exe
339⤵
PID:3284

C:\Users\Admin\AppData\Local\Temp\tmp240709921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709921.exe
339⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\tmp240709984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709984.exe
340⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\tmp240710046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710046.exe
340⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\tmp240710140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710140.exe
341⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\tmp240710218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710218.exe
341⤵
PID:804

C:\Users\Admin\AppData\Local\Temp\tmp240710281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710281.exe
342⤵
PID:1452

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
343⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\tmp240710546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710546.exe
344⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\tmp240710640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710640.exe
344⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\tmp240710718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710718.exe
345⤵
PID:2832

C:\Users\Admin\AppData\Local\Temp\tmp240710750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710750.exe
345⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\tmp240710781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710781.exe
346⤵
PID:4000

C:\Users\Admin\AppData\Local\Temp\tmp240710328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710328.exe
342⤵
PID:3972

C:\Users\Admin\AppData\Local\Temp\tmp240709593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709593.exe
336⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\tmp240708828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708828.exe
330⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\tmp240708921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708921.exe
331⤵
PID:4156

C:\Users\Admin\AppData\Local\Temp\tmp240708968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708968.exe
331⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\tmp240709031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709031.exe
332⤵
PID:260

C:\Users\Admin\AppData\Local\Temp\tmp240709046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709046.exe
332⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\tmp240709093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709093.exe
333⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\tmp240709109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709109.exe
333⤵
PID:4348

C:\Users\Admin\AppData\Local\Temp\tmp240708515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708515.exe
328⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\tmp240708562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708562.exe
329⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\tmp240708609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708609.exe
329⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\tmp240708703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708703.exe
330⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\tmp240708796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708796.exe
330⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\tmp240707812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240707812.exe
324⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\tmp240707921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240707921.exe
325⤵
PID:204

C:\Users\Admin\AppData\Local\Temp\tmp240708015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708015.exe
325⤵
PID:5064

C:\Users\Admin\AppData\Local\Temp\tmp240708125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708125.exe
326⤵
PID:3740

C:\Users\Admin\AppData\Local\Temp\tmp240708093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708093.exe
326⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\tmp240686781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240686781.exe
320⤵
PID:4692

C:\Users\Admin\AppData\Local\Temp\tmp240687015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240687015.exe
321⤵
PID:1372

C:\Users\Admin\AppData\Local\Temp\tmp240687031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240687031.exe
321⤵
PID:4252

C:\Users\Admin\AppData\Local\Temp\tmp240687125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240687125.exe
322⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\tmp240687140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240687140.exe
322⤵
PID:4828

C:\Users\Admin\AppData\Local\Temp\tmp240687171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240687171.exe
323⤵
PID:2228

C:\Users\Admin\AppData\Local\Temp\tmp240687187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240687187.exe
323⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\tmp240707359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240707359.exe
324⤵
- Checks computer location settings
- Modifies registry class
PID:804

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
325⤵
PID:3676

C:\Users\Admin\AppData\Local\Temp\tmp240707765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240707765.exe
326⤵
PID:1780

C:\Users\Admin\AppData\Local\Temp\tmp240707781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240707781.exe
326⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\tmp240707937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240707937.exe
327⤵
PID:3608

C:\Users\Admin\AppData\Local\Temp\tmp240708046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708046.exe
327⤵
PID:3752

C:\Users\Admin\AppData\Local\Temp\tmp240708109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708109.exe
328⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\tmp240708171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708171.exe
328⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\tmp240708234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708234.exe
329⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\tmp240708250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240708250.exe
329⤵
PID:3356

C:\Users\Admin\AppData\Local\Temp\tmp240707437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240707437.exe
324⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\tmp240686265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240686265.exe
318⤵
PID:3392

C:\Users\Admin\AppData\Local\Temp\tmp240686343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240686343.exe
319⤵
PID:3884

C:\Users\Admin\AppData\Local\Temp\tmp240686359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240686359.exe
319⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\tmp240686453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240686453.exe
320⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\tmp240686484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240686484.exe
320⤵
PID:3244

C:\Users\Admin\AppData\Local\Temp\tmp240687000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240687000.exe
321⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\tmp240687093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240687093.exe
321⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\tmp240707343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240707343.exe
322⤵
PID:712

C:\Users\Admin\AppData\Local\Temp\tmp240707484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240707484.exe
322⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\tmp240685828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685828.exe
316⤵
PID:2636

C:\Users\Admin\AppData\Local\Temp\tmp240686109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240686109.exe
317⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\tmp240686140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240686140.exe
317⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\tmp240686203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240686203.exe
318⤵
PID:4360

C:\Users\Admin\AppData\Local\Temp\tmp240686234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240686234.exe
318⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\tmp240686281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240686281.exe
319⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\tmp240686328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240686328.exe
319⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\tmp240685453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240685453.exe
313⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\tmp240684625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684625.exe
307⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\tmp240684656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684656.exe
308⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\tmp240684671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684671.exe
308⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\tmp240684703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684703.exe
309⤵
PID:720

C:\Users\Admin\AppData\Local\Temp\tmp240684718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684718.exe
309⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\tmp240684781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684781.exe
310⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\tmp240684796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684796.exe
310⤵
PID:828

C:\Users\Admin\AppData\Local\Temp\tmp240684390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684390.exe
305⤵
PID:4072

C:\Users\Admin\AppData\Local\Temp\tmp240683531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240683531.exe
300⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\tmp240683546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240683546.exe
301⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\tmp240683578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240683578.exe
301⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\tmp240683640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240683640.exe
302⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\tmp240683656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240683656.exe
302⤵
PID:4692

C:\Users\Admin\AppData\Local\Temp\tmp240684125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684125.exe
303⤵
PID:3244

C:\Users\Admin\AppData\Local\Temp\tmp240684187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240684187.exe
303⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\tmp240683343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240683343.exe
298⤵
PID:3716

C:\Users\Admin\AppData\Local\Temp\tmp240683500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240683500.exe
299⤵
PID:632

C:\Users\Admin\AppData\Local\Temp\tmp240669906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669906.exe
294⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\tmp240669562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669562.exe
289⤵
PID:5092

C:\Users\Admin\AppData\Local\Temp\tmp240669593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669593.exe
290⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\tmp240669609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669609.exe
290⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\tmp240669687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669687.exe
291⤵
PID:3496

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
292⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\tmp240669953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669953.exe
293⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4796

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
294⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\tmp240683078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240683078.exe
295⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\tmp240683296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240683296.exe
295⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\tmp240683468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240683468.exe
296⤵
PID:3392

C:\Users\Admin\AppData\Local\Temp\tmp240683562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240683562.exe
297⤵
PID:2124

C:\Users\Admin\AppData\Local\Temp\tmp240683593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240683593.exe
297⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\tmp240683625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240683625.exe
298⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\tmp240683671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240683671.exe
298⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\tmp240675875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240675875.exe
293⤵
PID:2448

C:\Users\Admin\AppData\Local\Temp\tmp240682953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240682953.exe
294⤵
PID:4244

C:\Users\Admin\AppData\Local\Temp\tmp240682984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240682984.exe
294⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\tmp240683062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240683062.exe
295⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\tmp240683312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240683312.exe
295⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\tmp240669718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669718.exe
291⤵
PID:3464

C:\Users\Admin\AppData\Local\Temp\tmp240669781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669781.exe
292⤵
PID:2860

C:\Users\Admin\AppData\Local\Temp\tmp240669843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669843.exe
292⤵
PID:620

C:\Users\Admin\AppData\Local\Temp\tmp240669375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669375.exe
287⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\tmp240669468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669468.exe
288⤵
PID:3752

C:\Users\Admin\AppData\Local\Temp\tmp240669531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669531.exe
288⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\tmp240668937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668937.exe
283⤵
PID:804

C:\Users\Admin\AppData\Local\Temp\tmp240669000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669000.exe
284⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\tmp240669015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669015.exe
284⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\tmp240669062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669062.exe
285⤵
PID:712

C:\Users\Admin\AppData\Local\Temp\tmp240669078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669078.exe
285⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\tmp240669093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669093.exe
286⤵
PID:2560

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
287⤵
PID:3324

C:\Users\Admin\AppData\Local\Temp\tmp240669281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669281.exe
288⤵
PID:3988

C:\Users\Admin\AppData\Local\Temp\tmp240669296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669296.exe
288⤵
PID:3104

C:\Users\Admin\AppData\Local\Temp\tmp240669343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669343.exe
289⤵
PID:3680

C:\Users\Admin\AppData\Local\Temp\tmp240669359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669359.exe
289⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\tmp240669421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669421.exe
290⤵
PID:4400

C:\Users\Admin\AppData\Local\Temp\tmp240669437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669437.exe
290⤵
PID:3336

C:\Users\Admin\AppData\Local\Temp\tmp240669484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669484.exe
291⤵
PID:800

C:\Users\Admin\AppData\Local\Temp\tmp240669500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669500.exe
291⤵
PID:212

C:\Users\Admin\AppData\Local\Temp\tmp240669218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240669218.exe
286⤵
PID:2800

C:\Users\Admin\AppData\Local\Temp\tmp240668703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668703.exe
281⤵
PID:1536

C:\Users\Admin\AppData\Local\Temp\tmp240668796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668796.exe
282⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\tmp240668828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668828.exe
282⤵
PID:4828

C:\Users\Admin\AppData\Local\Temp\tmp240668859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668859.exe
283⤵
PID:1124

C:\Users\Admin\AppData\Local\Temp\tmp240668875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668875.exe
283⤵
PID:1908

C:\Users\Admin\AppData\Local\Temp\tmp240668906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668906.exe
284⤵
PID:1856

C:\Users\Admin\AppData\Local\Temp\tmp240668921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668921.exe
284⤵
PID:1784

C:\Users\Admin\AppData\Local\Temp\tmp240668453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668453.exe
279⤵
PID:864

C:\Users\Admin\AppData\Local\Temp\tmp240668500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668500.exe
280⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\tmp240668546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668546.exe
280⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\tmp240668078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668078.exe
275⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\tmp240667625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667625.exe
270⤵
PID:3356

C:\Users\Admin\AppData\Local\Temp\tmp240667109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667109.exe
266⤵
PID:1528

C:\Users\Admin\AppData\Local\Temp\tmp240667140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667140.exe
267⤵
PID:388

C:\Users\Admin\AppData\Local\Temp\tmp240667171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240667171.exe
267⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\tmp240666734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666734.exe
262⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\tmp240666328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666328.exe
257⤵
PID:2488

C:\Users\Admin\AppData\Local\Temp\tmp240665937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665937.exe
252⤵
PID:4800

C:\Users\Admin\AppData\Local\Temp\tmp240665718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665718.exe
249⤵
PID:2568

C:\Users\Admin\AppData\Local\Temp\tmp240665531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665531.exe
247⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\tmp240665546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665546.exe
248⤵
PID:2996

C:\Users\Admin\AppData\Local\Temp\tmp240665578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665578.exe
248⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\tmp240665609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665609.exe
249⤵
PID:4532

C:\Users\Admin\AppData\Local\Temp\tmp240665625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665625.exe
249⤵
PID:3004

C:\Users\Admin\AppData\Local\Temp\tmp240665640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665640.exe
250⤵
PID:4840

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
251⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\tmp240665906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665906.exe
252⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\tmp240665921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665921.exe
252⤵
PID:3352

C:\Users\Admin\AppData\Local\Temp\tmp240665984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665984.exe
253⤵
PID:1752

C:\Users\Admin\AppData\Local\Temp\tmp240666000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666000.exe
253⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\tmp240666031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666031.exe
254⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\tmp240666046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666046.exe
254⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\tmp240666093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666093.exe
255⤵
PID:1420

C:\Users\Admin\AppData\Local\Temp\tmp240666125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666125.exe
255⤵
PID:2892

C:\Users\Admin\AppData\Local\Temp\tmp240665703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665703.exe
250⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\tmp240665328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665328.exe
245⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\tmp240665359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665359.exe
246⤵
PID:3740

C:\Users\Admin\AppData\Local\Temp\tmp240665390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665390.exe
246⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\tmp240665421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665421.exe
247⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\tmp240665437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665437.exe
247⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\tmp240665468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665468.exe
248⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\tmp240665500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665500.exe
248⤵
PID:2696

C:\Users\Admin\AppData\Local\Temp\tmp240665140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665140.exe
243⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\tmp240665171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665171.exe
244⤵
PID:4400

C:\Users\Admin\AppData\Local\Temp\tmp240665187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665187.exe
244⤵
PID:2728

C:\Users\Admin\AppData\Local\Temp\tmp240665218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665218.exe
245⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\tmp240665234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665234.exe
245⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\tmp240665250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665250.exe
246⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\tmp240665265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665265.exe
246⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\tmp240664953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664953.exe
241⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\tmp240664968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664968.exe
242⤵
PID:5080

C:\Users\Admin\AppData\Local\Temp\tmp240665000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665000.exe
242⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\tmp240665046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665046.exe
243⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\tmp240665062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665062.exe
243⤵
PID:3336

C:\Users\Admin\AppData\Local\Temp\tmp240665093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665093.exe
244⤵
PID:3428

C:\Users\Admin\AppData\Local\Temp\tmp240665109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240665109.exe
244⤵
PID:2588

C:\Users\Admin\AppData\Local\Temp\tmp240664625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664625.exe
239⤵
PID:3776

C:\Users\Admin\AppData\Local\Temp\tmp240664687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664687.exe
240⤵
PID:1252

C:\Users\Admin\AppData\Local\Temp\tmp240664734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664734.exe
240⤵
PID:2664

C:\Users\Admin\AppData\Local\Temp\tmp240664812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664812.exe
241⤵
PID:3108

C:\Users\Admin\AppData\Local\Temp\tmp240664843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664843.exe
241⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\tmp240664875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664875.exe
242⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\tmp240664906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664906.exe
242⤵
PID:3588

C:\Users\Admin\AppData\Local\Temp\tmp240664437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664437.exe
237⤵
PID:1432

C:\Users\Admin\AppData\Local\Temp\tmp240664468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664468.exe
238⤵
PID:4912

C:\Users\Admin\AppData\Local\Temp\tmp240664484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664484.exe
238⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\tmp240664000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664000.exe
233⤵
PID:2324

C:\Users\Admin\AppData\Local\Temp\tmp240664062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664062.exe
234⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\tmp240664078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664078.exe
234⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\tmp240664125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664125.exe
235⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\tmp240664156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664156.exe
235⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\tmp240664234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664234.exe
236⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\tmp240664265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240664265.exe
236⤵
PID:4404

C:\Users\Admin\AppData\Local\Temp\tmp240663781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663781.exe
231⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\tmp240663812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663812.exe
232⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\tmp240663843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663843.exe
232⤵
PID:4836

C:\Users\Admin\AppData\Local\Temp\tmp240663875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663875.exe
233⤵
PID:2888

C:\Users\Admin\AppData\Local\Temp\tmp240663906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663906.exe
233⤵
PID:3900

C:\Users\Admin\AppData\Local\Temp\tmp240663953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663953.exe
234⤵
PID:4244

C:\Users\Admin\AppData\Local\Temp\tmp240663968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663968.exe
234⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\tmp240683390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240683390.exe
233⤵
PID:4612

C:\Users\Admin\AppData\Local\Temp\tmp240683421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240683421.exe
233⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\tmp240663609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663609.exe
229⤵
PID:3212

C:\Users\Admin\AppData\Local\Temp\tmp240662984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240662984.exe
224⤵
PID:2084

C:\Users\Admin\AppData\Local\Temp\tmp240663000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663000.exe
225⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\tmp240663031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663031.exe
225⤵
PID:2808

C:\Users\Admin\AppData\Local\Temp\tmp240663187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663187.exe
226⤵
PID:4088

C:\Users\Admin\AppData\Local\Temp\tmp240663203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240663203.exe
226⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\tmp240662703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240662703.exe
222⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\tmp240662750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240662750.exe
223⤵
PID:3808

C:\Users\Admin\AppData\Local\Temp\tmp240662781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240662781.exe
223⤵
PID:3760

C:\Users\Admin\AppData\Local\Temp\tmp240662812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240662812.exe
224⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\tmp240662828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240662828.exe
224⤵
PID:4996

C:\Users\Admin\AppData\Local\Temp\tmp240662421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240662421.exe
220⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\tmp240662453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240662453.exe
221⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\tmp240662468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240662468.exe
221⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\tmp240662515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240662515.exe
222⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\tmp240662500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240662500.exe
222⤵
PID:3428

C:\Users\Admin\AppData\Local\Temp\tmp240662156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240662156.exe
218⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\tmp240662218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240662218.exe
219⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\tmp240662250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240662250.exe
219⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\tmp240662265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240662265.exe
220⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\tmp240662281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240662281.exe
220⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\tmp240661437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240661437.exe
216⤵
PID:4344

C:\Users\Admin\AppData\Local\Temp\tmp240661453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240661453.exe
217⤵
PID:3776

C:\Users\Admin\AppData\Local\Temp\tmp240661500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240661500.exe
217⤵
PID:4792

C:\Users\Admin\AppData\Local\Temp\tmp240661546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240661546.exe
218⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\tmp240662078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240662078.exe
218⤵
PID:1856

C:\Users\Admin\AppData\Local\Temp\tmp240661062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240661062.exe
214⤵
PID:916

C:\Users\Admin\AppData\Local\Temp\tmp240661093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240661093.exe
215⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\tmp240661109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240661109.exe
215⤵
PID:3340

C:\Users\Admin\AppData\Local\Temp\tmp240661140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240661140.exe
216⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\tmp240661156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240661156.exe
216⤵
PID:4692

C:\Users\Admin\AppData\Local\Temp\tmp240660828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240660828.exe
212⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\tmp240660843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240660843.exe
213⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\tmp240660859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240660859.exe
213⤵
PID:3248

C:\Users\Admin\AppData\Local\Temp\tmp240660937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240660937.exe
214⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\tmp240660953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240660953.exe
214⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\tmp240660640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240660640.exe
210⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\tmp240660671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240660671.exe
211⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\tmp240660687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240660687.exe
211⤵
PID:1496

C:\Users\Admin\AppData\Local\Temp\tmp240660718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240660718.exe
212⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\tmp240660765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240660765.exe
212⤵
PID:4064

C:\Users\Admin\AppData\Local\Temp\tmp240660437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240660437.exe
208⤵
PID:3100

C:\Users\Admin\AppData\Local\Temp\tmp240660453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240660453.exe
209⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\tmp240660484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240660484.exe
209⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\tmp240660531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240660531.exe
210⤵
PID:3716

C:\Users\Admin\AppData\Local\Temp\tmp240683390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240683390.exe
211⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\tmp240660546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240660546.exe
210⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\tmp240660265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240660265.exe
206⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\tmp240660296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240660296.exe
207⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\tmp240660328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240660328.exe
207⤵
PID:3796

C:\Users\Admin\AppData\Local\Temp\tmp240660359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240660359.exe
208⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\tmp240660375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240660375.exe
208⤵
PID:112

C:\Users\Admin\AppData\Local\Temp\tmp240659859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659859.exe
204⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\tmp240659906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659906.exe
205⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\tmp240659937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659937.exe
205⤵
PID:4584

C:\Users\Admin\AppData\Local\Temp\tmp240659984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659984.exe
206⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\tmp240660000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240660000.exe
206⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\tmp240659640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659640.exe
202⤵
PID:5112

C:\Users\Admin\AppData\Local\Temp\tmp240659656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659656.exe
203⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\tmp240659671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659671.exe
203⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\tmp240659703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659703.exe
204⤵
PID:2604

C:\Users\Admin\AppData\Local\Temp\tmp240659734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659734.exe
204⤵
PID:1480

C:\Users\Admin\AppData\Local\Temp\tmp240659406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659406.exe
200⤵
PID:4992

C:\Users\Admin\AppData\Local\Temp\tmp240659437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659437.exe
201⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\tmp240659468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659468.exe
201⤵
PID:620

C:\Users\Admin\AppData\Local\Temp\tmp240659562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659562.exe
202⤵
PID:1548

C:\Users\Admin\AppData\Local\Temp\tmp240659578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659578.exe
202⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\tmp240659187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659187.exe
198⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\tmp240659218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659218.exe
199⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\tmp240659234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659234.exe
199⤵
PID:2516

C:\Users\Admin\AppData\Local\Temp\tmp240659296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659296.exe
200⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\tmp240659312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659312.exe
200⤵
PID:1444

C:\Users\Admin\AppData\Local\Temp\tmp240658953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240658953.exe
196⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\tmp240659000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659000.exe
197⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\tmp240659031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659031.exe
197⤵
PID:3752

C:\Users\Admin\AppData\Local\Temp\tmp240659062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659062.exe
198⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\tmp240659078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240659078.exe
198⤵
PID:5060

C:\Users\Admin\AppData\Local\Temp\tmp240658609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240658609.exe
194⤵
PID:3284

C:\Users\Admin\AppData\Local\Temp\tmp240658640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240658640.exe
195⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\tmp240658671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240658671.exe
195⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\tmp240658703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240658703.exe
196⤵
PID:456

C:\Users\Admin\AppData\Local\Temp\tmp240658718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240658718.exe
196⤵
PID:2952

C:\Users\Admin\AppData\Local\Temp\tmp240658359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240658359.exe
192⤵
PID:460

C:\Users\Admin\AppData\Local\Temp\tmp240658390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240658390.exe
193⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\tmp240658406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240658406.exe
193⤵
PID:1612

C:\Users\Admin\AppData\Local\Temp\tmp240658453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240658453.exe
194⤵
PID:3732

C:\Users\Admin\AppData\Local\Temp\tmp240658484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240658484.exe
194⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\tmp240657984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240657984.exe
190⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\tmp240658046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240658046.exe
191⤵
PID:5056

C:\Users\Admin\AppData\Local\Temp\tmp240658062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240658062.exe
191⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\tmp240658109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240658109.exe
192⤵
PID:4252

C:\Users\Admin\AppData\Local\Temp\tmp240658125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240658125.exe
192⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\tmp240657703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240657703.exe
188⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\tmp240657734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240657734.exe
189⤵
PID:2292

C:\Users\Admin\AppData\Local\Temp\tmp240657765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240657765.exe
189⤵
PID:3256

C:\Users\Admin\AppData\Local\Temp\tmp240657859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240657859.exe
190⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\tmp240657890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240657890.exe
190⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\tmp240657375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240657375.exe
186⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\tmp240657437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240657437.exe
187⤵
PID:4404

C:\Users\Admin\AppData\Local\Temp\tmp240657500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240657500.exe
188⤵
PID:2656

C:\Users\Admin\AppData\Local\Temp\tmp240657609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240657609.exe
188⤵
PID:2488

C:\Users\Admin\AppData\Local\Temp\tmp240657406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240657406.exe
187⤵
PID:2200

C:\Users\Admin\AppData\Local\Temp\tmp240657140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240657140.exe
184⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\tmp240657218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240657218.exe
185⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\tmp240657234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240657234.exe
185⤵
PID:1420

C:\Users\Admin\AppData\Local\Temp\tmp240657296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240657296.exe
186⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\tmp240657312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240657312.exe
186⤵
PID:3688

C:\Users\Admin\AppData\Local\Temp\tmp240656765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240656765.exe
182⤵
PID:3940

C:\Users\Admin\AppData\Local\Temp\tmp240656812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240656812.exe
183⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\tmp240656843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240656843.exe
183⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\tmp240656890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240656890.exe
184⤵
PID:3796

C:\Users\Admin\AppData\Local\Temp\tmp240656921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240656921.exe
184⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\tmp240656515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240656515.exe
180⤵
PID:2036

C:\Users\Admin\AppData\Local\Temp\tmp240655468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240655468.exe
174⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\tmp240655093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240655093.exe
170⤵
PID:5004

C:\Users\Admin\AppData\Local\Temp\tmp240654765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240654765.exe
167⤵
PID:712

C:\Users\Admin\AppData\Local\Temp\tmp240654156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240654156.exe
164⤵
PID:1464

C:\Users\Admin\AppData\Local\Temp\tmp240654250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240654250.exe
165⤵
- Checks computer location settings
PID:2316

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
166⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\tmp240654750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240654750.exe
167⤵
PID:432

C:\Users\Admin\AppData\Local\Temp\tmp240654812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240654812.exe
167⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\tmp240654859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240654859.exe
168⤵
PID:700

C:\Users\Admin\AppData\Local\Temp\tmp240654875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240654875.exe
168⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\tmp240654406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240654406.exe
165⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\tmp240653890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240653890.exe
162⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\tmp240653937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240653937.exe
163⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\tmp240654000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240654000.exe
163⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\tmp240652984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652984.exe
160⤵
PID:3472

C:\Users\Admin\AppData\Local\Temp\tmp240653343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240653343.exe
161⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\tmp240653437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240653437.exe
161⤵
PID:3684

C:\Users\Admin\AppData\Local\Temp\tmp240652562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652562.exe
158⤵
PID:2064

C:\Users\Admin\AppData\Local\Temp\tmp240652734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652734.exe
159⤵
PID:3796

C:\Users\Admin\AppData\Local\Temp\tmp240652781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652781.exe
159⤵
PID:372

C:\Users\Admin\AppData\Local\Temp\tmp240652187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652187.exe
156⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\tmp240652593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652593.exe
157⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\tmp240652750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652750.exe
157⤵
PID:2804

C:\Users\Admin\AppData\Local\Temp\tmp240650375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650375.exe
154⤵
PID:1224

C:\Users\Admin\AppData\Local\Temp\tmp240651953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651953.exe
155⤵
PID:1320

C:\Users\Admin\AppData\Local\Temp\tmp240652218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652218.exe
155⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\tmp240644296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240644296.exe
152⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\tmp240650359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650359.exe
153⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\tmp240651671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651671.exe
153⤵
PID:1604

C:\Users\Admin\AppData\Local\Temp\tmp240628343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240628343.exe
150⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\tmp240618265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618265.exe
148⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\tmp240618000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618000.exe
146⤵
PID:4544

C:\Users\Admin\AppData\Local\Temp\tmp240617781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617781.exe
144⤵
PID:5080

C:\Users\Admin\AppData\Local\Temp\tmp240617093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617093.exe
142⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\tmp240616468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616468.exe
140⤵
PID:5072

C:\Users\Admin\AppData\Local\Temp\tmp240616281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616281.exe
138⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\tmp240616078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616078.exe
136⤵
PID:3248

C:\Users\Admin\AppData\Local\Temp\tmp240615906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615906.exe
134⤵
PID:2392

C:\Users\Admin\AppData\Local\Temp\tmp240615718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615718.exe
132⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\tmp240615531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615531.exe
130⤵
PID:3688

C:\Users\Admin\AppData\Local\Temp\tmp240615328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615328.exe
128⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\tmp240615171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615171.exe
126⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\tmp240614968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614968.exe
124⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\tmp240614796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614796.exe
122⤵
PID:3524

C:\Users\Admin\AppData\Local\Temp\tmp240614562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614562.exe
120⤵
PID:2264

C:\Users\Admin\AppData\Local\Temp\tmp240614343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614343.exe
118⤵
PID:1736

C:\Users\Admin\AppData\Local\Temp\tmp240614156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614156.exe
116⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\tmp240613968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240613968.exe
114⤵
PID:508

C:\Users\Admin\AppData\Local\Temp\tmp240613781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240613781.exe
112⤵
PID:4868

C:\Users\Admin\AppData\Local\Temp\tmp240613546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240613546.exe
110⤵
PID:4872

C:\Users\Admin\AppData\Local\Temp\tmp240613265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240613265.exe
108⤵
PID:408

C:\Users\Admin\AppData\Local\Temp\tmp240613046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240613046.exe
106⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\tmp240612859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240612859.exe
104⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\tmp240612640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240612640.exe
102⤵
PID:444

C:\Users\Admin\AppData\Local\Temp\tmp240612390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240612390.exe
100⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\tmp240612140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240612140.exe
98⤵
PID:4816

C:\Users\Admin\AppData\Local\Temp\tmp240611921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240611921.exe
96⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\tmp240611687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240611687.exe
94⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\tmp240611250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240611250.exe
92⤵
PID:532

C:\Users\Admin\AppData\Local\Temp\tmp240610984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610984.exe
90⤵
PID:2456

C:\Users\Admin\AppData\Local\Temp\tmp240609796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240609796.exe
88⤵
PID:3196

C:\Users\Admin\AppData\Local\Temp\tmp240609484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240609484.exe
86⤵
PID:4916

C:\Users\Admin\AppData\Local\Temp\tmp240609031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240609031.exe
84⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\tmp240608703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240608703.exe
82⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\tmp240608484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240608484.exe
80⤵
PID:612

C:\Users\Admin\AppData\Local\Temp\tmp240608140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240608140.exe
78⤵
PID:4744

C:\Users\Admin\AppData\Local\Temp\tmp240607875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607875.exe
76⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\tmp240607546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607546.exe
74⤵
PID:1616

C:\Users\Admin\AppData\Local\Temp\tmp240607218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607218.exe
72⤵
PID:4352

C:\Users\Admin\AppData\Local\Temp\tmp240606859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606859.exe
70⤵
PID:1176

C:\Users\Admin\AppData\Local\Temp\tmp240606593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606593.exe
68⤵
PID:1360

C:\Users\Admin\AppData\Local\Temp\tmp240606281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606281.exe
66⤵
PID:3484

C:\Users\Admin\AppData\Local\Temp\tmp240605937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240605937.exe
64⤵
PID:620

C:\Users\Admin\AppData\Local\Temp\tmp240605484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240605484.exe
62⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\tmp240594687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240594687.exe
60⤵
PID:3732

C:\Users\Admin\AppData\Local\Temp\tmp240593796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240593796.exe
58⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\tmp240593593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240593593.exe
56⤵
PID:3840

C:\Users\Admin\AppData\Local\Temp\tmp240593343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240593343.exe
54⤵
PID:2784

C:\Users\Admin\AppData\Local\Temp\tmp240592031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240592031.exe
52⤵
PID:1112

C:\Users\Admin\AppData\Local\Temp\tmp240591812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240591812.exe
50⤵
PID:532

C:\Users\Admin\AppData\Local\Temp\tmp240591562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240591562.exe
48⤵
PID:4332

C:\Users\Admin\AppData\Local\Temp\tmp240590359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240590359.exe
46⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\tmp240590093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240590093.exe
44⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\tmp240589937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240589937.exe
42⤵
- Executes dropped EXE
PID:4284

C:\Users\Admin\AppData\Local\Temp\tmp240588921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240588921.exe
40⤵
- Executes dropped EXE
PID:2324

C:\Users\Admin\AppData\Local\Temp\tmp240569812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240569812.exe
38⤵
- Executes dropped EXE
PID:3900

C:\Users\Admin\AppData\Local\Temp\tmp240569578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240569578.exe
36⤵
- Executes dropped EXE
PID:2036

C:\Users\Admin\AppData\Local\Temp\tmp240569296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240569296.exe
34⤵
- Executes dropped EXE
PID:4304

C:\Users\Admin\AppData\Local\Temp\tmp240569031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240569031.exe
32⤵
- Executes dropped EXE
PID:3396

C:\Users\Admin\AppData\Local\Temp\tmp240568781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240568781.exe
30⤵
- Executes dropped EXE
PID:2312

C:\Users\Admin\AppData\Local\Temp\tmp240568437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240568437.exe
28⤵
- Executes dropped EXE
PID:4324

C:\Users\Admin\AppData\Local\Temp\tmp240568171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240568171.exe
26⤵
- Executes dropped EXE
PID:4280

C:\Users\Admin\AppData\Local\Temp\tmp240567953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240567953.exe
24⤵
- Executes dropped EXE
PID:3148

C:\Users\Admin\AppData\Local\Temp\tmp240567640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240567640.exe
22⤵
- Executes dropped EXE
PID:4876

C:\Users\Admin\AppData\Local\Temp\tmp240567140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240567140.exe
20⤵
- Executes dropped EXE
PID:4912

C:\Users\Admin\AppData\Local\Temp\tmp240566687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240566687.exe
18⤵
- Executes dropped EXE
PID:4692

C:\Users\Admin\AppData\Local\Temp\tmp240566265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240566265.exe
16⤵
- Executes dropped EXE
PID:2168

C:\Users\Admin\AppData\Local\Temp\tmp240565703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240565703.exe
14⤵
- Executes dropped EXE
PID:1888

C:\Users\Admin\AppData\Local\Temp\tmp240565484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240565484.exe
12⤵
- Executes dropped EXE
PID:1484

C:\Users\Admin\AppData\Local\Temp\tmp240565171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240565171.exe
10⤵
- Executes dropped EXE
PID:2292

C:\Users\Admin\AppData\Local\Temp\tmp240564859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240564859.exe
8⤵
- Executes dropped EXE
PID:4404

C:\Users\Admin\AppData\Local\Temp\tmp240564515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240564515.exe
6⤵
- Executes dropped EXE
PID:2892

C:\Users\Admin\AppData\Local\Temp\tmp240563843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240563843.exe
4⤵
- Executes dropped EXE
PID:4040

C:\Users\Admin\AppData\Local\Temp\tmp240562203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240562203.exe
2⤵
- Executes dropped EXE
PID:1132

C:\Users\Admin\AppData\Local\Temp\tmp240683375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240683375.exe
1⤵
PID:3824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240562078.exe

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240562078.exe

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240562203.exe

Filesize
67KB

MD5
388b8fbc36a8558587afc90fb23a3b99

SHA1
ed55ad0a7078651857bd8fc0eedd8b07f94594cc

SHA256
fefeac4c10bbe237cc6c861229ecaacbd2a366ac4fbd04a3862b62bd7a778093

SHA512
0a91f6fd90f3429a69c907d9f81420334be92407269df964b6619874aa241ec6aeb2c1920ac643ce604c7ea65b21cc80f0a09c722327b6c3b7be58f9e3029e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240562203.exe

Filesize
67KB

MD5
388b8fbc36a8558587afc90fb23a3b99

SHA1
ed55ad0a7078651857bd8fc0eedd8b07f94594cc

SHA256
fefeac4c10bbe237cc6c861229ecaacbd2a366ac4fbd04a3862b62bd7a778093

SHA512
0a91f6fd90f3429a69c907d9f81420334be92407269df964b6619874aa241ec6aeb2c1920ac643ce604c7ea65b21cc80f0a09c722327b6c3b7be58f9e3029e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240563781.exe

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240563781.exe

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240563843.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240564468.exe

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240564468.exe

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240564515.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240564812.exe

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240564812.exe

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240564859.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240565109.exe

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240565109.exe

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240565171.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240565406.exe

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240565406.exe

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240565484.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240565671.exe

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240565671.exe

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240565703.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240566171.exe

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240566171.exe

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240566265.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240566656.exe

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240566656.exe

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240566687.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240567062.exe

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240567062.exe

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240567140.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240567437.exe

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240567437.exe

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
445KB

MD5
f7edb8d94e5d3fb3fe81c93476621b1f

SHA1
f3bac2b027870bd8c0445acf15587944e4a79e1a

SHA256
eb7809a3dfa697c41c2ed23ca13431f86e1a3e9543756c16b041e02f4632eeb3

SHA512
952a2f7eeafc6ba30ea01b579571ceafba3c1cb08339f7e8d4b36eaff80dc089efbd92326901f61f28b619d240d80e78dede8f69f70d504e51a25f3332408157

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
617KB

MD5
7343b382764064356182f94a8c425162

SHA1
6d99a1a4968b9d1a1203e910116f42ab86b1de18

SHA256
ae4f3e4a4d53241fd9886de205da42bf336579eb065bb28e89c1859c4f2e72aa

SHA512
f316957c3d0495bf13c06d098cfae5df36546a7fc2f91efa1b553d123231f09af9e85287afb77ca8efd7e25f3cb98c9a04190197b1e6598180a8a28dc688b2c1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
617KB

MD5
7343b382764064356182f94a8c425162

SHA1
6d99a1a4968b9d1a1203e910116f42ab86b1de18

SHA256
ae4f3e4a4d53241fd9886de205da42bf336579eb065bb28e89c1859c4f2e72aa

SHA512
f316957c3d0495bf13c06d098cfae5df36546a7fc2f91efa1b553d123231f09af9e85287afb77ca8efd7e25f3cb98c9a04190197b1e6598180a8a28dc688b2c1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
617KB

MD5
7343b382764064356182f94a8c425162

SHA1
6d99a1a4968b9d1a1203e910116f42ab86b1de18

SHA256
ae4f3e4a4d53241fd9886de205da42bf336579eb065bb28e89c1859c4f2e72aa

SHA512
f316957c3d0495bf13c06d098cfae5df36546a7fc2f91efa1b553d123231f09af9e85287afb77ca8efd7e25f3cb98c9a04190197b1e6598180a8a28dc688b2c1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
617KB

MD5
7343b382764064356182f94a8c425162

SHA1
6d99a1a4968b9d1a1203e910116f42ab86b1de18

SHA256
ae4f3e4a4d53241fd9886de205da42bf336579eb065bb28e89c1859c4f2e72aa

SHA512
f316957c3d0495bf13c06d098cfae5df36546a7fc2f91efa1b553d123231f09af9e85287afb77ca8efd7e25f3cb98c9a04190197b1e6598180a8a28dc688b2c1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
617KB

MD5
7343b382764064356182f94a8c425162

SHA1
6d99a1a4968b9d1a1203e910116f42ab86b1de18

SHA256
ae4f3e4a4d53241fd9886de205da42bf336579eb065bb28e89c1859c4f2e72aa

SHA512
f316957c3d0495bf13c06d098cfae5df36546a7fc2f91efa1b553d123231f09af9e85287afb77ca8efd7e25f3cb98c9a04190197b1e6598180a8a28dc688b2c1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
617KB

MD5
7343b382764064356182f94a8c425162

SHA1
6d99a1a4968b9d1a1203e910116f42ab86b1de18

SHA256
ae4f3e4a4d53241fd9886de205da42bf336579eb065bb28e89c1859c4f2e72aa

SHA512
f316957c3d0495bf13c06d098cfae5df36546a7fc2f91efa1b553d123231f09af9e85287afb77ca8efd7e25f3cb98c9a04190197b1e6598180a8a28dc688b2c1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
617KB

MD5
7343b382764064356182f94a8c425162

SHA1
6d99a1a4968b9d1a1203e910116f42ab86b1de18

SHA256
ae4f3e4a4d53241fd9886de205da42bf336579eb065bb28e89c1859c4f2e72aa

SHA512
f316957c3d0495bf13c06d098cfae5df36546a7fc2f91efa1b553d123231f09af9e85287afb77ca8efd7e25f3cb98c9a04190197b1e6598180a8a28dc688b2c1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
617KB

MD5
7343b382764064356182f94a8c425162

SHA1
6d99a1a4968b9d1a1203e910116f42ab86b1de18

SHA256
ae4f3e4a4d53241fd9886de205da42bf336579eb065bb28e89c1859c4f2e72aa

SHA512
f316957c3d0495bf13c06d098cfae5df36546a7fc2f91efa1b553d123231f09af9e85287afb77ca8efd7e25f3cb98c9a04190197b1e6598180a8a28dc688b2c1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
617KB

MD5
7343b382764064356182f94a8c425162

SHA1
6d99a1a4968b9d1a1203e910116f42ab86b1de18

SHA256
ae4f3e4a4d53241fd9886de205da42bf336579eb065bb28e89c1859c4f2e72aa

SHA512
f316957c3d0495bf13c06d098cfae5df36546a7fc2f91efa1b553d123231f09af9e85287afb77ca8efd7e25f3cb98c9a04190197b1e6598180a8a28dc688b2c1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
617KB

MD5
7343b382764064356182f94a8c425162

SHA1
6d99a1a4968b9d1a1203e910116f42ab86b1de18

SHA256
ae4f3e4a4d53241fd9886de205da42bf336579eb065bb28e89c1859c4f2e72aa

SHA512
f316957c3d0495bf13c06d098cfae5df36546a7fc2f91efa1b553d123231f09af9e85287afb77ca8efd7e25f3cb98c9a04190197b1e6598180a8a28dc688b2c1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
617KB

MD5
7343b382764064356182f94a8c425162

SHA1
6d99a1a4968b9d1a1203e910116f42ab86b1de18

SHA256
ae4f3e4a4d53241fd9886de205da42bf336579eb065bb28e89c1859c4f2e72aa

SHA512
f316957c3d0495bf13c06d098cfae5df36546a7fc2f91efa1b553d123231f09af9e85287afb77ca8efd7e25f3cb98c9a04190197b1e6598180a8a28dc688b2c1

Download Submit
memory/260-282-0x0000000000000000-mapping.dmp

Download
memory/364-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/364-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/432-223-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/432-214-0x0000000000000000-mapping.dmp

Download
memory/508-258-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/508-255-0x0000000000000000-mapping.dmp

Download
memory/628-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/628-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/764-246-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/764-243-0x0000000000000000-mapping.dmp

Download
memory/912-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1044-161-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1044-152-0x0000000000000000-mapping.dmp

Download
memory/1132-136-0x0000000000000000-mapping.dmp

Download
memory/1308-264-0x0000000000000000-mapping.dmp

Download
memory/1336-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1376-133-0x0000000000000000-mapping.dmp

Download
memory/1420-287-0x0000000000000000-mapping.dmp

Download
memory/1448-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1484-188-0x0000000000000000-mapping.dmp

Download
memory/1592-216-0x0000000000000000-mapping.dmp

Download
memory/1732-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1888-198-0x0000000000000000-mapping.dmp

Download
memory/1988-201-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1988-193-0x0000000000000000-mapping.dmp

Download
memory/1988-203-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2036-269-0x0000000000000000-mapping.dmp

Download
memory/2036-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2040-248-0x0000000000000000-mapping.dmp

Download
memory/2072-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2084-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2160-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2168-209-0x0000000000000000-mapping.dmp

Download
memory/2224-303-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2224-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2252-132-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2252-139-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2292-180-0x0000000000000000-mapping.dmp

Download
memory/2312-257-0x0000000000000000-mapping.dmp

Download
memory/2324-281-0x0000000000000000-mapping.dmp

Download
memory/2492-175-0x0000000000000000-mapping.dmp

Download
memory/2536-144-0x0000000000000000-mapping.dmp

Download
memory/2564-278-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2564-273-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2564-271-0x0000000000000000-mapping.dmp

Download
memory/2892-288-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2892-157-0x0000000000000000-mapping.dmp

Download
memory/2892-286-0x0000000000000000-mapping.dmp

Download
memory/3024-224-0x0000000000000000-mapping.dmp

Download
memory/3024-233-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3080-226-0x0000000000000000-mapping.dmp

Download
memory/3128-192-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3128-183-0x0000000000000000-mapping.dmp

Download
memory/3148-245-0x0000000000000000-mapping.dmp

Download
memory/3292-270-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3292-267-0x0000000000000000-mapping.dmp

Download
memory/3352-280-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3352-285-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3352-279-0x0000000000000000-mapping.dmp

Download
memory/3396-261-0x0000000000000000-mapping.dmp

Download
memory/3464-260-0x0000000000000000-mapping.dmp

Download
memory/3496-247-0x0000000000000000-mapping.dmp

Download
memory/3496-250-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3504-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3504-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3528-213-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3528-204-0x0000000000000000-mapping.dmp

Download
memory/3628-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3860-195-0x0000000000000000-mapping.dmp

Download
memory/3900-276-0x0000000000000000-mapping.dmp

Download
memory/3964-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4000-259-0x0000000000000000-mapping.dmp

Download
memory/4000-262-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4028-274-0x0000000000000000-mapping.dmp

Download
memory/4028-275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4028-284-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4040-149-0x0000000000000000-mapping.dmp

Download
memory/4116-162-0x0000000000000000-mapping.dmp

Download
memory/4116-164-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4116-172-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4148-266-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4148-263-0x0000000000000000-mapping.dmp

Download
memory/4208-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4208-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4244-173-0x0000000000000000-mapping.dmp

Download
memory/4244-182-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4264-277-0x0000000000000000-mapping.dmp

Download
memory/4280-249-0x0000000000000000-mapping.dmp

Download
memory/4284-283-0x0000000000000000-mapping.dmp

Download
memory/4296-242-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4296-234-0x0000000000000000-mapping.dmp

Download
memory/4304-265-0x0000000000000000-mapping.dmp

Download
memory/4324-253-0x0000000000000000-mapping.dmp

Download
memory/4336-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4336-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4336-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4404-168-0x0000000000000000-mapping.dmp

Download
memory/4524-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4540-165-0x0000000000000000-mapping.dmp

Download
memory/4560-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4564-236-0x0000000000000000-mapping.dmp

Download
memory/4624-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4624-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4624-185-0x0000000000000000-mapping.dmp

Download
memory/4692-219-0x0000000000000000-mapping.dmp

Download
memory/4804-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4840-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4844-268-0x0000000000000000-mapping.dmp

Download
memory/4848-272-0x0000000000000000-mapping.dmp

Download
memory/4868-252-0x0000000000000000-mapping.dmp

Download
memory/4876-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4876-239-0x0000000000000000-mapping.dmp

Download
memory/4912-229-0x0000000000000000-mapping.dmp

Download
memory/4928-151-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4928-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4928-140-0x0000000000000000-mapping.dmp

Download
memory/4928-143-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4928-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4932-256-0x0000000000000000-mapping.dmp

Download
memory/4960-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5008-251-0x0000000000000000-mapping.dmp

Download
memory/5008-254-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5028-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5028-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5036-154-0x0000000000000000-mapping.dmp

Download
memory/5056-206-0x0000000000000000-mapping.dmp

Download
memory/5092-244-0x0000000000000000-mapping.dmp

Download