0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2022 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2.exe
Size

883KB
MD5

44c6664ce2278eb1f4c2c2324a4aed38
SHA1

e02a0cae906c6da6c9750e4cbf7314565c6a2d22
SHA256

0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2
SHA512

b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31
SSDEEP

12288:vR9PxPIR9P7P2R9PNPIR9P7P2R9PTPiR9PxPIR9P7P2R9PNPIR9P7P2R9P:vRURwRoRwR8RURwRoRwR

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

Processes:

notpad.exetmp240560156.exetmp240560390.exenotpad.exetmp240560625.exetmp240560703.exenotpad.exetmp240561093.exetmp240561140.exenotpad.exetmp240561531.exetmp240561640.exenotpad.exetmp240561843.exetmp240561921.exenotpad.exetmp240562093.exetmp240562203.exenotpad.exetmp240562593.exetmp240579375.exenotpad.exetmp240579843.exetmp240579937.exenotpad.exetmp240580218.exetmp240581281.exenotpad.exetmp240581703.exetmp240581796.exenotpad.exetmp240582015.exetmp240582625.exenotpad.exetmp240582875.exetmp240582906.exenotpad.exetmp240583046.exetmp240583093.exenotpad.exetmp240583312.exetmp240584109.exenotpad.exetmp240584265.exetmp240584296.exenotpad.exetmp240584515.exetmp240584546.exenotpad.exetmp240584781.exetmp240585468.exenotpad.exetmp240598328.exenotpad.exetmp240598765.exetmp240599296.exetmp240599375.exenotpad.exetmp240599593.exetmp240599640.exenotpad.exetmp240599859.exetmp240600015.exenotpad.exe

pid	process
2108	notpad.exe
2380	tmp240560156.exe
1588	tmp240560390.exe
332	notpad.exe
4892	tmp240560625.exe
2232	tmp240560703.exe
4764	notpad.exe
5052	tmp240561093.exe
4308	tmp240561140.exe
2560	notpad.exe
3756	tmp240561531.exe
1200	tmp240561640.exe
2360	notpad.exe
4372	tmp240561843.exe
3980	tmp240561921.exe
1820	notpad.exe
4208	tmp240562093.exe
3180	tmp240562203.exe
228	notpad.exe
3424	tmp240562593.exe
2700	tmp240579375.exe
4824	notpad.exe
1304	tmp240579843.exe
3336	tmp240579937.exe
3564	notpad.exe
4496	tmp240580218.exe
1868	tmp240581281.exe
2320	notpad.exe
2796	tmp240581703.exe
2304	tmp240581796.exe
4756	notpad.exe
4224	tmp240582015.exe
4960	tmp240582625.exe
2720	notpad.exe
720	tmp240582875.exe
4172	tmp240582906.exe
1488	notpad.exe
3380	tmp240583046.exe
1204	tmp240583093.exe
4304	notpad.exe
4272	tmp240583312.exe
1684	tmp240584109.exe
1736	notpad.exe
4924	tmp240584265.exe
4992	tmp240584296.exe
4664	notpad.exe
3288	tmp240584515.exe
4300	tmp240584546.exe
1636	notpad.exe
4060	tmp240584781.exe
4732	tmp240585468.exe
3148	notpad.exe
2184	tmp240598328.exe
3596	notpad.exe
976	tmp240598765.exe
4876	tmp240599296.exe
4800	tmp240599375.exe
2220	notpad.exe
3064	tmp240599593.exe
4308	tmp240599640.exe
2880	notpad.exe
4388	tmp240599859.exe
2388	tmp240600015.exe
4888	notpad.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\notpad.exe	upx
behavioral2/memory/2108-142-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\fsb.stb	upx
C:\Windows\SysWOW64\notpad.exe	upx
behavioral2/memory/332-152-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\fsb.stb	upx
C:\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\fsb.stb	upx
behavioral2/memory/4764-162-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\notpad.exe	upx
behavioral2/memory/2560-165-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\fsb.stb	upx
behavioral2/memory/2560-173-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\fsb.stb	upx
behavioral2/memory/2360-183-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\notpad.exe	upx
C:\Windows\SysWOW64\fsb.stb	upx
behavioral2/memory/1820-193-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\notpad.exe	upx
behavioral2/memory/228-196-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/228-204-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\fsb.stb	upx
C:\Windows\SysWOW64\notpad.exe	upx
behavioral2/memory/4824-207-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4824-215-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\fsb.stb	upx
C:\Windows\SysWOW64\notpad.exe	upx
behavioral2/memory/3564-218-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3564-226-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\fsb.stb	upx
C:\Windows\SysWOW64\notpad.exe	upx
behavioral2/memory/2320-236-0x0000000000400000-0x000000000041F000-memory.dmp	upx
C:\Windows\SysWOW64\fsb.stb	upx
C:\Windows\SysWOW64\notpad.exe	upx
behavioral2/memory/4756-243-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2720-247-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1488-251-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4304-253-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4304-256-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1736-260-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4664-264-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1636-266-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1636-268-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1636-270-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3148-274-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3148-277-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3596-279-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2220-283-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2880-287-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4888-289-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4888-290-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2884-291-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5004-292-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3376-293-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1308-294-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/404-295-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4824-296-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3300-297-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3300-298-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1868-299-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4952-300-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/916-301-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

tmp240602015.exetmp240696093.exetmp240580218.exetmp240600875.exetmp240601765.exetmp240649906.exetmp240651375.exetmp240694453.exetmp240695750.exetmp240699609.exetmp240602296.exetmp240642953.exetmp240643640.exetmp240654203.exetmp240691625.exetmp240560625.exetmp240604031.exetmp240652421.exetmp240599859.exetmp240641562.exetmp240646625.exetmp240645156.exetmp240693890.exetmp240696656.exetmp240582875.exetmp240584265.exetmp240599296.exetmp240646375.exetmp240697828.exetmp240561093.exetmp240604687.exetmp240605203.exetmp240646031.exetmp240647546.exetmp240648515.exetmp240688828.exetmp240689093.exetmp240583312.exetmp240599593.exetmp240634812.exetmp240698828.exetmp240561843.exetmp240604359.exetmp240642656.exetmp240643375.exetmp240643875.exetmp240651578.exetmp240697515.exetmp240584781.exetmp240602640.exetmp240602906.exetmp240645484.exetmp240583046.exetmp240600609.exetmp240642078.exetmp240643156.exetmp240644515.exetmp240562093.exetmp240581703.exetmp240582015.exetmp240697218.exetmp240644687.exetmp240645734.exetmp240680953.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240602015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240696093.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240580218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240600875.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240601765.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240649906.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240651375.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240694453.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240695750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240699609.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240602296.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240642953.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240643640.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240654203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240691625.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240560625.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240604031.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240652421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240599859.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240641562.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240646625.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240645156.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240693890.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240696656.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240582875.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240584265.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240599296.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240646375.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240697828.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240561093.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240604687.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240605203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240646031.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240647546.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240648515.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240688828.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240689093.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240583312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240599593.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240634812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240698828.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240561843.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240604359.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240642656.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240643375.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240643875.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240651578.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240697515.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240584781.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240602640.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240602906.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240645484.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240583046.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240600609.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240642078.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240643156.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240644515.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240562093.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240581703.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240582015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240697218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240644687.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240645734.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240680953.exe

Drops file in System32 directory 64 IoCs

Processes:

tmp240604937.exetmp240645156.exetmp240649375.exetmp240602296.exetmp240643875.exetmp240646375.exetmp240645734.exetmp240698828.exetmp240699890.exetmp240582015.exetmp240583312.exetmp240599593.exetmp240601765.exetmp240651578.exe0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2.exetmp240560156.exetmp240642656.exetmp240643640.exetmp240651375.exetmp240583046.exetmp240646625.exetmp240649906.exetmp240699187.exetmp240562093.exetmp240581703.exetmp240604687.exetmp240644687.exetmp240560625.exetmp240580218.exetmp240599859.exetmp240643156.exetmp240605203.exetmp240642234.exetmp240652421.exetmp240601406.exetmp240603625.exetmp240643375.exetmp240561093.exetmp240561531.exetmp240697828.exetmp240647546.exetmp240579843.exetmp240604359.exetmp240634812.exetmp240695234.exetmp240561843.exetmp240641828.exetmp240644515.exetmp240644953.exetmp240694453.exetmp240598328.exetmp240604031.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240604937.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240645156.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240649375.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240602296.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240643875.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240646375.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240645734.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240698828.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240699890.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240582015.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240583312.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240599593.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240601765.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240651578.exe
File created	C:\Windows\SysWOW64\notpad.exe-	0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240560156.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240642656.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240643640.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240651375.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240583046.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240646625.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240649906.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240649906.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240699187.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240562093.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240581703.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240604687.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240644687.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240560625.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240580218.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240599859.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240643156.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240698828.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240560156.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240605203.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240642234.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240652421.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240601406.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240603625.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240604937.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240643375.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240561093.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240561531.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240582015.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240583312.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240697828.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240646375.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240647546.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240579843.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240604359.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240605203.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240634812.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240695234.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240698828.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240561843.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240641828.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240644515.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240651375.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240644953.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240694453.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240580218.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240598328.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240604031.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240643640.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

Processes:

tmp240599593.exetmp240641828.exetmp240646625.exetmp240648515.exetmp240692468.exetmp240560156.exetmp240579843.exetmp240581703.exetmp240599859.exetmp240644953.exetmp240689093.exetmp240697218.exetmp240561531.exetmp240582015.exetmp240582875.exetmp240584265.exetmp240598328.exetmp240643375.exetmp240697828.exetmp240651375.exe0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2.exetmp240602015.exetmp240603265.exetmp240604031.exetmp240645484.exetmp240647546.exetmp240560625.exetmp240584781.exetmp240602640.exetmp240643156.exetmp240644687.exetmp240646375.exetmp240603625.exetmp240641562.exetmp240561093.exetmp240561843.exetmp240562593.exetmp240580218.exetmp240599296.exetmp240601406.exetmp240696093.exetmp240562093.exetmp240649906.exetmp240691812.exetmp240696656.exetmp240584515.exetmp240602906.exetmp240654203.exetmp240699609.exetmp240600609.exetmp240601765.exetmp240642078.exetmp240642656.exetmp240643640.exetmp240643875.exetmp240651578.exetmp240699187.exetmp240583046.exetmp240604359.exetmp240604687.exetmp240634812.exetmp240642234.exetmp240650640.exetmp240601156.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240599593.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240641828.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240646625.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240648515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240692468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240560156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240579843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240581703.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240599859.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240644953.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240689093.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240697218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240561531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240582015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240582875.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240584265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240598328.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240643375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240697828.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240651375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240602015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240603265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240604031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240645484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240647546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240560625.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240584781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240602640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240643156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240644687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240646375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240603625.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240641562.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240561093.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240561843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240562593.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240580218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240599296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240601406.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240696093.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240562093.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240649906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240691812.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240696656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240584515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240602906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240654203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240699609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240600609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240601765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240642078.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240642656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240643640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240643875.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240651578.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240699187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240583046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240604359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240604687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240634812.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240642234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240650640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240601156.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2.exenotpad.exetmp240560156.exenotpad.exetmp240560625.exenotpad.exetmp240561093.exenotpad.exetmp240561531.exenotpad.exetmp240561843.exenotpad.exetmp240562093.exenotpad.exetmp240562593.exe

description	pid	process	target process
PID 1444 wrote to memory of 2108	1444	0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2.exe	notpad.exe
PID 1444 wrote to memory of 2108	1444	0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2.exe	notpad.exe
PID 1444 wrote to memory of 2108	1444	0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2.exe	notpad.exe
PID 2108 wrote to memory of 2380	2108	notpad.exe	tmp240560156.exe
PID 2108 wrote to memory of 2380	2108	notpad.exe	tmp240560156.exe
PID 2108 wrote to memory of 2380	2108	notpad.exe	tmp240560156.exe
PID 2108 wrote to memory of 1588	2108	notpad.exe	tmp240560390.exe
PID 2108 wrote to memory of 1588	2108	notpad.exe	tmp240560390.exe
PID 2108 wrote to memory of 1588	2108	notpad.exe	tmp240560390.exe
PID 2380 wrote to memory of 332	2380	tmp240560156.exe	notpad.exe
PID 2380 wrote to memory of 332	2380	tmp240560156.exe	notpad.exe
PID 2380 wrote to memory of 332	2380	tmp240560156.exe	notpad.exe
PID 332 wrote to memory of 4892	332	notpad.exe	tmp240560625.exe
PID 332 wrote to memory of 4892	332	notpad.exe	tmp240560625.exe
PID 332 wrote to memory of 4892	332	notpad.exe	tmp240560625.exe
PID 332 wrote to memory of 2232	332	notpad.exe	tmp240560703.exe
PID 332 wrote to memory of 2232	332	notpad.exe	tmp240560703.exe
PID 332 wrote to memory of 2232	332	notpad.exe	tmp240560703.exe
PID 4892 wrote to memory of 4764	4892	tmp240560625.exe	notpad.exe
PID 4892 wrote to memory of 4764	4892	tmp240560625.exe	notpad.exe
PID 4892 wrote to memory of 4764	4892	tmp240560625.exe	notpad.exe
PID 4764 wrote to memory of 5052	4764	notpad.exe	tmp240561093.exe
PID 4764 wrote to memory of 5052	4764	notpad.exe	tmp240561093.exe
PID 4764 wrote to memory of 5052	4764	notpad.exe	tmp240561093.exe
PID 4764 wrote to memory of 4308	4764	notpad.exe	tmp240561140.exe
PID 4764 wrote to memory of 4308	4764	notpad.exe	tmp240561140.exe
PID 4764 wrote to memory of 4308	4764	notpad.exe	tmp240561140.exe
PID 5052 wrote to memory of 2560	5052	tmp240561093.exe	notpad.exe
PID 5052 wrote to memory of 2560	5052	tmp240561093.exe	notpad.exe
PID 5052 wrote to memory of 2560	5052	tmp240561093.exe	notpad.exe
PID 2560 wrote to memory of 3756	2560	notpad.exe	tmp240561531.exe
PID 2560 wrote to memory of 3756	2560	notpad.exe	tmp240561531.exe
PID 2560 wrote to memory of 3756	2560	notpad.exe	tmp240561531.exe
PID 2560 wrote to memory of 1200	2560	notpad.exe	tmp240561640.exe
PID 2560 wrote to memory of 1200	2560	notpad.exe	tmp240561640.exe
PID 2560 wrote to memory of 1200	2560	notpad.exe	tmp240561640.exe
PID 3756 wrote to memory of 2360	3756	tmp240561531.exe	notpad.exe
PID 3756 wrote to memory of 2360	3756	tmp240561531.exe	notpad.exe
PID 3756 wrote to memory of 2360	3756	tmp240561531.exe	notpad.exe
PID 2360 wrote to memory of 4372	2360	notpad.exe	tmp240561843.exe
PID 2360 wrote to memory of 4372	2360	notpad.exe	tmp240561843.exe
PID 2360 wrote to memory of 4372	2360	notpad.exe	tmp240561843.exe
PID 2360 wrote to memory of 3980	2360	notpad.exe	tmp240561921.exe
PID 2360 wrote to memory of 3980	2360	notpad.exe	tmp240561921.exe
PID 2360 wrote to memory of 3980	2360	notpad.exe	tmp240561921.exe
PID 4372 wrote to memory of 1820	4372	tmp240561843.exe	notpad.exe
PID 4372 wrote to memory of 1820	4372	tmp240561843.exe	notpad.exe
PID 4372 wrote to memory of 1820	4372	tmp240561843.exe	notpad.exe
PID 1820 wrote to memory of 4208	1820	notpad.exe	tmp240562093.exe
PID 1820 wrote to memory of 4208	1820	notpad.exe	tmp240562093.exe
PID 1820 wrote to memory of 4208	1820	notpad.exe	tmp240562093.exe
PID 1820 wrote to memory of 3180	1820	notpad.exe	tmp240562203.exe
PID 1820 wrote to memory of 3180	1820	notpad.exe	tmp240562203.exe
PID 1820 wrote to memory of 3180	1820	notpad.exe	tmp240562203.exe
PID 4208 wrote to memory of 228	4208	tmp240562093.exe	notpad.exe
PID 4208 wrote to memory of 228	4208	tmp240562093.exe	notpad.exe
PID 4208 wrote to memory of 228	4208	tmp240562093.exe	notpad.exe
PID 228 wrote to memory of 3424	228	notpad.exe	tmp240562593.exe
PID 228 wrote to memory of 3424	228	notpad.exe	tmp240562593.exe
PID 228 wrote to memory of 3424	228	notpad.exe	tmp240562593.exe
PID 228 wrote to memory of 2700	228	notpad.exe	tmp240579375.exe
PID 228 wrote to memory of 2700	228	notpad.exe	tmp240579375.exe
PID 228 wrote to memory of 2700	228	notpad.exe	tmp240579375.exe
PID 3424 wrote to memory of 4824	3424	tmp240562593.exe	notpad.exe

C:\Users\Admin\AppData\Local\Temp\0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2.exe
"C:\Users\Admin\AppData\Local\Temp\0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2108

C:\Users\Admin\AppData\Local\Temp\tmp240560156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240560156.exe
3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2380

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:332

C:\Users\Admin\AppData\Local\Temp\tmp240560625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240560625.exe
5⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4892

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4764

C:\Users\Admin\AppData\Local\Temp\tmp240561093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240561093.exe
7⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2560

C:\Users\Admin\AppData\Local\Temp\tmp240561531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240561531.exe
9⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3756

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\AppData\Local\Temp\tmp240561843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240561843.exe
11⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1820

C:\Users\Admin\AppData\Local\Temp\tmp240562093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240562093.exe
13⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4208

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:228

C:\Users\Admin\AppData\Local\Temp\tmp240562593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240562593.exe
15⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3424

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
16⤵
- Executes dropped EXE
PID:4824

C:\Users\Admin\AppData\Local\Temp\tmp240579843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240579843.exe
17⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:1304

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
18⤵
- Executes dropped EXE
PID:3564

C:\Users\Admin\AppData\Local\Temp\tmp240580218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240580218.exe
19⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4496

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
20⤵
- Executes dropped EXE
PID:2320

C:\Users\Admin\AppData\Local\Temp\tmp240581703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240581703.exe
21⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:2796

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
22⤵
- Executes dropped EXE
PID:4756

C:\Users\Admin\AppData\Local\Temp\tmp240582015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240582015.exe
23⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4224

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
24⤵
- Executes dropped EXE
PID:2720

C:\Users\Admin\AppData\Local\Temp\tmp240582875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240582875.exe
25⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:720

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
26⤵
- Executes dropped EXE
PID:1488

C:\Users\Admin\AppData\Local\Temp\tmp240583046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240583046.exe
27⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3380

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
28⤵
- Executes dropped EXE
PID:4304

C:\Users\Admin\AppData\Local\Temp\tmp240583312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240583312.exe
29⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
PID:4272

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
30⤵
- Executes dropped EXE
PID:1736

C:\Users\Admin\AppData\Local\Temp\tmp240584265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240584265.exe
31⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:4924

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
32⤵
- Executes dropped EXE
PID:4664

C:\Users\Admin\AppData\Local\Temp\tmp240584515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240584515.exe
33⤵
- Executes dropped EXE
- Modifies registry class
PID:3288

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
34⤵
- Executes dropped EXE
PID:1636

C:\Users\Admin\AppData\Local\Temp\tmp240584781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240584781.exe
35⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:4060

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
36⤵
- Executes dropped EXE
PID:3148

C:\Users\Admin\AppData\Local\Temp\tmp240598328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598328.exe
37⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:2184

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
38⤵
- Executes dropped EXE
PID:3596

C:\Users\Admin\AppData\Local\Temp\tmp240599296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599296.exe
39⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:4876

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
40⤵
- Executes dropped EXE
PID:2220

C:\Users\Admin\AppData\Local\Temp\tmp240599593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599593.exe
41⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3064

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
42⤵
- Executes dropped EXE
PID:2880

C:\Users\Admin\AppData\Local\Temp\tmp240599859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599859.exe
43⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4388

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
44⤵
- Executes dropped EXE
PID:4888

C:\Users\Admin\AppData\Local\Temp\tmp240600203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600203.exe
45⤵
PID:2544

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
46⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\tmp240600609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600609.exe
47⤵
- Checks computer location settings
- Modifies registry class
PID:2328

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
48⤵
PID:5004

C:\Users\Admin\AppData\Local\Temp\tmp240600875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600875.exe
49⤵
- Checks computer location settings
PID:4260

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
50⤵
PID:3376

C:\Users\Admin\AppData\Local\Temp\tmp240601156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240601156.exe
51⤵
- Modifies registry class
PID:176

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
52⤵
PID:1308

C:\Users\Admin\AppData\Local\Temp\tmp240601406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240601406.exe
53⤵
- Drops file in System32 directory
- Modifies registry class
PID:3680

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
54⤵
PID:404

C:\Users\Admin\AppData\Local\Temp\tmp240601765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240601765.exe
55⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:744

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
56⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\tmp240602015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240602015.exe
57⤵
- Checks computer location settings
- Modifies registry class
PID:1988

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
58⤵
PID:3300

C:\Users\Admin\AppData\Local\Temp\tmp240602296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240602296.exe
59⤵
- Checks computer location settings
- Drops file in System32 directory
PID:5064

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
60⤵
PID:1868

C:\Users\Admin\AppData\Local\Temp\tmp240602640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240602640.exe
61⤵
- Checks computer location settings
- Modifies registry class
PID:1260

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
62⤵
PID:4952

C:\Users\Admin\AppData\Local\Temp\tmp240602906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240602906.exe
63⤵
- Checks computer location settings
- Modifies registry class
PID:2304

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
64⤵
PID:916

C:\Users\Admin\AppData\Local\Temp\tmp240603265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240603265.exe
65⤵
- Modifies registry class
PID:2404

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
66⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\tmp240603625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240603625.exe
67⤵
- Drops file in System32 directory
- Modifies registry class
PID:4660

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
68⤵
PID:3236

C:\Users\Admin\AppData\Local\Temp\tmp240604031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240604031.exe
69⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:1268

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
70⤵
PID:4180

C:\Users\Admin\AppData\Local\Temp\tmp240604359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240604359.exe
71⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4232

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
72⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\tmp240604687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240604687.exe
73⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3904

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
74⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\tmp240604937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240604937.exe
75⤵
- Drops file in System32 directory
PID:3620

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
76⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\tmp240605203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240605203.exe
77⤵
- Checks computer location settings
- Drops file in System32 directory
PID:2240

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
78⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\tmp240634812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634812.exe
79⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:2620

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
80⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\tmp240641562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641562.exe
81⤵
- Checks computer location settings
- Modifies registry class
PID:2272

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
82⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\tmp240641828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641828.exe
83⤵
- Drops file in System32 directory
- Modifies registry class
PID:4868

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
84⤵
PID:3136

C:\Users\Admin\AppData\Local\Temp\tmp240642078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642078.exe
85⤵
- Checks computer location settings
- Modifies registry class
PID:3168

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
86⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\tmp240642234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642234.exe
87⤵
- Drops file in System32 directory
- Modifies registry class
PID:1200

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
88⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\tmp240642468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642468.exe
89⤵
PID:1156

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
90⤵
PID:3652

C:\Users\Admin\AppData\Local\Temp\tmp240642656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642656.exe
91⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4092

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
92⤵
PID:3636

C:\Users\Admin\AppData\Local\Temp\tmp240642953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642953.exe
93⤵
- Checks computer location settings
PID:2636

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
94⤵
PID:1832

C:\Users\Admin\AppData\Local\Temp\tmp240643156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240643156.exe
95⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:1020

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
96⤵
PID:752

C:\Users\Admin\AppData\Local\Temp\tmp240643375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240643375.exe
97⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:2244

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
98⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\tmp240643640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240643640.exe
99⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3676

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
100⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\tmp240643875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240643875.exe
101⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:2224

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
102⤵
PID:4480

C:\Users\Admin\AppData\Local\Temp\tmp240644515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240644515.exe
103⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4988

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
104⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\tmp240644687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240644687.exe
105⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4268

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
106⤵
PID:4540

C:\Users\Admin\AppData\Local\Temp\tmp240644953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240644953.exe
107⤵
- Drops file in System32 directory
- Modifies registry class
PID:1480

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
108⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\tmp240645156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645156.exe
109⤵
- Checks computer location settings
- Drops file in System32 directory
PID:1452

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
110⤵
PID:3688

C:\Users\Admin\AppData\Local\Temp\tmp240645484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645484.exe
111⤵
- Checks computer location settings
- Modifies registry class
PID:1852

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
112⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\tmp240645734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645734.exe
113⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3488

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
114⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\tmp240646031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646031.exe
115⤵
- Checks computer location settings
PID:2040

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
116⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\tmp240646375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646375.exe
117⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4716

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
118⤵
PID:4060

C:\Users\Admin\AppData\Local\Temp\tmp240646625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646625.exe
119⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4880

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
120⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\tmp240647546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240647546.exe
121⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3024

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
122⤵
PID:2560

C:\Users\Admin\AppData\Local\Temp\tmp240648515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648515.exe
123⤵
- Checks computer location settings
- Modifies registry class
PID:3524

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
124⤵
PID:4380

C:\Users\Admin\AppData\Local\Temp\tmp240649375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649375.exe
125⤵
- Drops file in System32 directory
PID:1072

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
126⤵
PID:2116

C:\Users\Admin\AppData\Local\Temp\tmp240649906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649906.exe
127⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3792

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
128⤵
PID:3580

C:\Users\Admin\AppData\Local\Temp\tmp240650640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650640.exe
129⤵
- Modifies registry class
PID:2776

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
130⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\tmp240651375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651375.exe
131⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3092

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
132⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\tmp240651765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651765.exe
133⤵
PID:4268

C:\Users\Admin\AppData\Local\Temp\tmp240652359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652359.exe
133⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\tmp240654000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240654000.exe
134⤵
PID:3296

C:\Users\Admin\AppData\Local\Temp\tmp240654109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240654109.exe
134⤵
PID:1152

C:\Users\Admin\AppData\Local\Temp\tmp240666156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240666156.exe
135⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\tmp240671234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240671234.exe
135⤵
PID:2620

C:\Users\Admin\AppData\Local\Temp\tmp240680953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240680953.exe
136⤵
- Checks computer location settings
PID:4352

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
137⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\tmp240689093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240689093.exe
138⤵
- Checks computer location settings
- Modifies registry class
PID:3748

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
139⤵
PID:3180

C:\Users\Admin\AppData\Local\Temp\tmp240691625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240691625.exe
140⤵
- Checks computer location settings
PID:744

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
141⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\tmp240692062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240692062.exe
142⤵
PID:2132

C:\Users\Admin\AppData\Local\Temp\tmp240692171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240692171.exe
142⤵
PID:4984

C:\Users\Admin\AppData\Local\Temp\tmp240692375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240692375.exe
143⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\tmp240692453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240692453.exe
143⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\tmp240693125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240693125.exe
144⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\tmp240693656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240693656.exe
144⤵
PID:3768

C:\Users\Admin\AppData\Local\Temp\tmp240693781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240693781.exe
145⤵
PID:2168

C:\Users\Admin\AppData\Local\Temp\tmp240693843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240693843.exe
145⤵
PID:1488

C:\Users\Admin\AppData\Local\Temp\tmp240691828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240691828.exe
140⤵
PID:404

C:\Users\Admin\AppData\Local\Temp\tmp240692359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240692359.exe
141⤵
PID:4620

C:\Users\Admin\AppData\Local\Temp\tmp240692421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240692421.exe
141⤵
PID:3480

C:\Users\Admin\AppData\Local\Temp\tmp240692640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240692640.exe
142⤵
PID:3280

C:\Users\Admin\AppData\Local\Temp\tmp240692687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240692687.exe
142⤵
PID:1452

C:\Users\Admin\AppData\Local\Temp\tmp240693140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240693140.exe
143⤵
PID:764

C:\Users\Admin\AppData\Local\Temp\tmp240693750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240693750.exe
143⤵
PID:2684

C:\Users\Admin\AppData\Local\Temp\tmp240690562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240690562.exe
138⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\tmp240691125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240691125.exe
139⤵
PID:648

C:\Users\Admin\AppData\Local\Temp\tmp240691718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240691718.exe
139⤵
PID:4488

C:\Users\Admin\AppData\Local\Temp\tmp240691968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240691968.exe
140⤵
PID:3872

C:\Users\Admin\AppData\Local\Temp\tmp240692203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240692203.exe
140⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\tmp240692593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240692593.exe
141⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\tmp240692734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240692734.exe
141⤵
PID:2148

C:\Users\Admin\AppData\Local\Temp\tmp240687156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240687156.exe
136⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\tmp240651500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651500.exe
131⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\tmp240652421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652421.exe
132⤵
- Checks computer location settings
- Drops file in System32 directory
PID:720

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
133⤵
PID:2236

C:\Users\Admin\AppData\Local\Temp\tmp240654203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240654203.exe
134⤵
- Checks computer location settings
- Modifies registry class
PID:3736

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
135⤵
PID:2396

C:\Users\Admin\AppData\Local\Temp\tmp240680968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240680968.exe
136⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\tmp240688906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240688906.exe
136⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\tmp240690578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240690578.exe
137⤵
PID:3920

C:\Users\Admin\AppData\Local\Temp\tmp240691046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240691046.exe
137⤵
PID:1132

C:\Users\Admin\AppData\Local\Temp\tmp240691140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240691140.exe
138⤵
PID:3100

C:\Users\Admin\AppData\Local\Temp\tmp240691609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240691609.exe
138⤵
PID:680

C:\Users\Admin\AppData\Local\Temp\tmp240691812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240691812.exe
139⤵
- Modifies registry class
PID:2776

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
140⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\tmp240692750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240692750.exe
141⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\tmp240692968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240692968.exe
141⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\tmp240693718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240693718.exe
142⤵
PID:1824

C:\Users\Admin\AppData\Local\Temp\tmp240693828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240693828.exe
142⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\tmp240693890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240693890.exe
143⤵
- Checks computer location settings
PID:5084

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
144⤵
PID:488

C:\Users\Admin\AppData\Local\Temp\tmp240694437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240694437.exe
145⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\tmp240694546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240694546.exe
145⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\tmp240694796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240694796.exe
146⤵
PID:2916

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
147⤵
PID:4972

C:\Users\Admin\AppData\Local\Temp\tmp240695250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240695250.exe
148⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\tmp240695296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240695296.exe
148⤵
PID:3540

C:\Users\Admin\AppData\Local\Temp\tmp240695562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240695562.exe
149⤵
PID:4808

C:\Users\Admin\AppData\Local\Temp\tmp240695593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240695593.exe
149⤵
PID:4884

C:\Users\Admin\AppData\Local\Temp\tmp240695640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240695640.exe
150⤵
PID:2428

C:\Users\Admin\AppData\Local\Temp\tmp240695687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240695687.exe
150⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\tmp240695734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240695734.exe
151⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\tmp240695781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240695781.exe
151⤵
PID:460

C:\Users\Admin\AppData\Local\Temp\tmp240694875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240694875.exe
146⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\tmp240695000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240695000.exe
147⤵
PID:2492

C:\Users\Admin\AppData\Local\Temp\tmp240695062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240695062.exe
147⤵
PID:3352

C:\Users\Admin\AppData\Local\Temp\tmp240695234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240695234.exe
148⤵
- Drops file in System32 directory
PID:4512

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
149⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\tmp240695750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240695750.exe
150⤵
- Checks computer location settings
PID:4380

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
151⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\tmp240696109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240696109.exe
152⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\tmp240696156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240696156.exe
152⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\tmp240696296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240696296.exe
153⤵
PID:3520

C:\Users\Admin\AppData\Local\Temp\tmp240696375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240696375.exe
153⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\tmp240696437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240696437.exe
154⤵
PID:1484

C:\Users\Admin\AppData\Local\Temp\tmp240696453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240696453.exe
154⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\tmp240696531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240696531.exe
155⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\tmp240696562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240696562.exe
155⤵
PID:1300

C:\Users\Admin\AppData\Local\Temp\tmp240695765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240695765.exe
150⤵
PID:3428

C:\Users\Admin\AppData\Local\Temp\tmp240695859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240695859.exe
151⤵
PID:2388

C:\Users\Admin\AppData\Local\Temp\tmp240695875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240695875.exe
151⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\tmp240696000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240696000.exe
152⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\tmp240696015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240696015.exe
152⤵
PID:3100

C:\Users\Admin\AppData\Local\Temp\tmp240696093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240696093.exe
153⤵
- Checks computer location settings
- Modifies registry class
PID:4648

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
154⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\tmp240696578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240696578.exe
155⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\tmp240696656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240696656.exe
156⤵
- Checks computer location settings
- Modifies registry class
PID:3772

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
157⤵
PID:3492

C:\Users\Admin\AppData\Local\Temp\tmp240697265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697265.exe
158⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\tmp240697312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697312.exe
158⤵
PID:1520

C:\Users\Admin\AppData\Local\Temp\tmp240697359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697359.exe
159⤵
PID:4172

C:\Users\Admin\AppData\Local\Temp\tmp240697375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697375.exe
159⤵
PID:3236

C:\Users\Admin\AppData\Local\Temp\tmp240697406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697406.exe
160⤵
PID:3012

C:\Users\Admin\AppData\Local\Temp\tmp240697421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697421.exe
160⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\tmp240697468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697468.exe
161⤵
PID:5116

C:\Users\Admin\AppData\Local\Temp\tmp240697484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697484.exe
161⤵
PID:4752

C:\Users\Admin\AppData\Local\Temp\tmp240697546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697546.exe
162⤵
PID:3632

C:\Users\Admin\AppData\Local\Temp\tmp240697609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697609.exe
162⤵
PID:2136

C:\Users\Admin\AppData\Local\Temp\tmp240696671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240696671.exe
156⤵
PID:1988

C:\Users\Admin\AppData\Local\Temp\tmp240697171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697171.exe
157⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\tmp240697187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697187.exe
157⤵
PID:1800

C:\Users\Admin\AppData\Local\Temp\tmp240697218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697218.exe
158⤵
- Checks computer location settings
- Modifies registry class
PID:3776

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
159⤵
PID:2148

C:\Users\Admin\AppData\Local\Temp\tmp240697515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697515.exe
160⤵
- Checks computer location settings
PID:5008

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
161⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\tmp240697828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697828.exe
162⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:2684

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
163⤵
PID:3616

C:\Users\Admin\AppData\Local\Temp\tmp240698843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240698843.exe
164⤵
PID:5084

C:\Users\Admin\AppData\Local\Temp\tmp240698906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240698906.exe
164⤵
PID:4644

C:\Users\Admin\AppData\Local\Temp\tmp240698953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240698953.exe
165⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\tmp240699000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699000.exe
165⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\tmp240699078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699078.exe
166⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\tmp240699250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699250.exe
166⤵
PID:1588

C:\Users\Admin\AppData\Local\Temp\tmp240699296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699296.exe
167⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\tmp240699375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699375.exe
167⤵
PID:3736

C:\Users\Admin\AppData\Local\Temp\tmp240699484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699484.exe
168⤵
PID:1976

C:\Users\Admin\AppData\Local\Temp\tmp240699562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699562.exe
168⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\tmp240697843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697843.exe
162⤵
PID:4564

C:\Users\Admin\AppData\Local\Temp\tmp240698375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240698375.exe
163⤵
PID:5108

C:\Users\Admin\AppData\Local\Temp\tmp240698531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240698531.exe
163⤵
PID:456

C:\Users\Admin\AppData\Local\Temp\tmp240698828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240698828.exe
164⤵
- Checks computer location settings
- Drops file in System32 directory
PID:732

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
165⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\tmp240699187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699187.exe
166⤵
- Drops file in System32 directory
- Modifies registry class
PID:4828

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
167⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\tmp240699609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699609.exe
168⤵
- Checks computer location settings
- Modifies registry class
PID:2560

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
169⤵
PID:4712

C:\Users\Admin\AppData\Local\Temp\tmp240699890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699890.exe
170⤵
- Drops file in System32 directory
PID:3524

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
171⤵
PID:3636

C:\Users\Admin\AppData\Local\Temp\tmp240699687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699687.exe
168⤵
PID:4376

C:\Users\Admin\AppData\Local\Temp\tmp240699734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699734.exe
169⤵
PID:2120

C:\Users\Admin\AppData\Local\Temp\tmp240699796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699796.exe
169⤵
PID:2344

C:\Users\Admin\AppData\Local\Temp\tmp240699828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699828.exe
170⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\tmp240699843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699843.exe
170⤵
PID:996

C:\Users\Admin\AppData\Local\Temp\tmp240699875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699875.exe
171⤵
PID:3084

C:\Users\Admin\AppData\Local\Temp\tmp240699906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699906.exe
171⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\tmp240699343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699343.exe
166⤵
PID:4800

C:\Users\Admin\AppData\Local\Temp\tmp240699437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699437.exe
167⤵
PID:3328

C:\Users\Admin\AppData\Local\Temp\tmp240699531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699531.exe
167⤵
PID:4784

C:\Users\Admin\AppData\Local\Temp\tmp240699578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699578.exe
168⤵
PID:2612

C:\Users\Admin\AppData\Local\Temp\tmp240699625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699625.exe
168⤵
PID:4848

C:\Users\Admin\AppData\Local\Temp\tmp240699656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699656.exe
169⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\tmp240699671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699671.exe
169⤵
PID:1512

C:\Users\Admin\AppData\Local\Temp\tmp240699718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699718.exe
170⤵
PID:3156

C:\Users\Admin\AppData\Local\Temp\tmp240699750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699750.exe
170⤵
PID:4888

C:\Users\Admin\AppData\Local\Temp\tmp240698875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240698875.exe
164⤵
PID:312

C:\Users\Admin\AppData\Local\Temp\tmp240698968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240698968.exe
165⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\tmp240699046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699046.exe
165⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\tmp240699156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699156.exe
166⤵
PID:3904

C:\Users\Admin\AppData\Local\Temp\tmp240699203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240699203.exe
166⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\tmp240697593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697593.exe
160⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\tmp240697671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697671.exe
161⤵
PID:4772

C:\Users\Admin\AppData\Local\Temp\tmp240697750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697750.exe
161⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\tmp240697796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697796.exe
162⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\tmp240697812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697812.exe
162⤵
PID:4948

C:\Users\Admin\AppData\Local\Temp\tmp240697890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697890.exe
163⤵
PID:3620

C:\Users\Admin\AppData\Local\Temp\tmp240698328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240698328.exe
163⤵
PID:3268

C:\Users\Admin\AppData\Local\Temp\tmp240698562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240698562.exe
164⤵
PID:1456

C:\Users\Admin\AppData\Local\Temp\tmp240698750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240698750.exe
164⤵
PID:2812

C:\Users\Admin\AppData\Local\Temp\tmp240697234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697234.exe
158⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\tmp240696546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240696546.exe
155⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\tmp240696125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240696125.exe
153⤵
PID:4372

C:\Users\Admin\AppData\Local\Temp\tmp240695390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240695390.exe
148⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\tmp240693906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240693906.exe
143⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\tmp240694203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240694203.exe
144⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\tmp240694312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240694312.exe
144⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\tmp240692140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240692140.exe
139⤵
PID:2772

C:\Users\Admin\AppData\Local\Temp\tmp240671171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240671171.exe
134⤵
PID:4852

C:\Users\Admin\AppData\Local\Temp\tmp240687046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240687046.exe
135⤵
PID:4900

C:\Users\Admin\AppData\Local\Temp\tmp240688812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240688812.exe
135⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\tmp240689859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240689859.exe
136⤵
PID:932

C:\Users\Admin\AppData\Local\Temp\tmp240691171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240691171.exe
136⤵
PID:2700

C:\Users\Admin\AppData\Local\Temp\tmp240691750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240691750.exe
137⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\tmp240691875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240691875.exe
137⤵
PID:3320

C:\Users\Admin\AppData\Local\Temp\tmp240653156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240653156.exe
132⤵
PID:312

C:\Users\Admin\AppData\Local\Temp\tmp240654031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240654031.exe
133⤵
PID:3640

C:\Users\Admin\AppData\Local\Temp\tmp240654156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240654156.exe
133⤵
PID:1652

C:\Users\Admin\AppData\Local\Temp\tmp240671156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240671156.exe
134⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\tmp240671250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240671250.exe
134⤵
PID:3328

C:\Users\Admin\AppData\Local\Temp\tmp240651031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651031.exe
129⤵
PID:3812

C:\Users\Admin\AppData\Local\Temp\tmp240651421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651421.exe
130⤵
PID:4496

C:\Users\Admin\AppData\Local\Temp\tmp240651546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651546.exe
130⤵
PID:1904

C:\Users\Admin\AppData\Local\Temp\tmp240652437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652437.exe
131⤵
PID:456

C:\Users\Admin\AppData\Local\Temp\tmp240653234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240653234.exe
131⤵
PID:3688

C:\Users\Admin\AppData\Local\Temp\tmp240654171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240654171.exe
132⤵
PID:1896

C:\Users\Admin\AppData\Local\Temp\tmp240671062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240671062.exe
132⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\tmp240650484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650484.exe
127⤵
PID:228

C:\Users\Admin\AppData\Local\Temp\tmp240650828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650828.exe
128⤵
PID:404

C:\Users\Admin\AppData\Local\Temp\tmp240651250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651250.exe
128⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\tmp240651578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651578.exe
129⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3012

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
130⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\tmp240652953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652953.exe
131⤵
PID:3236

C:\Users\Admin\AppData\Local\Temp\tmp240653953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240653953.exe
131⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\tmp240654093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240654093.exe
132⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\tmp240654140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240654140.exe
132⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\tmp240671109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240671109.exe
133⤵
PID:772

C:\Users\Admin\AppData\Local\Temp\tmp240680937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240680937.exe
133⤵
PID:3596

C:\Users\Admin\AppData\Local\Temp\tmp240688828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240688828.exe
134⤵
- Checks computer location settings
PID:2892

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
135⤵
PID:2504

C:\Users\Admin\AppData\Local\Temp\tmp240690062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240690062.exe
136⤵
PID:460

C:\Users\Admin\AppData\Local\Temp\tmp240691093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240691093.exe
136⤵
PID:4040

C:\Users\Admin\AppData\Local\Temp\tmp240691515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240691515.exe
137⤵
PID:3652

C:\Users\Admin\AppData\Local\Temp\tmp240691734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240691734.exe
137⤵
PID:3680

C:\Users\Admin\AppData\Local\Temp\tmp240691953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240691953.exe
138⤵
PID:3580

C:\Users\Admin\AppData\Local\Temp\tmp240692218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240692218.exe
138⤵
PID:4936

C:\Users\Admin\AppData\Local\Temp\tmp240692468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240692468.exe
139⤵
- Modifies registry class
PID:4948

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
140⤵
PID:2072

C:\Users\Admin\AppData\Local\Temp\tmp240693734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240693734.exe
141⤵
PID:1836

C:\Users\Admin\AppData\Local\Temp\tmp240693796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240693796.exe
141⤵
PID:312

C:\Users\Admin\AppData\Local\Temp\tmp240694125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240694125.exe
142⤵
PID:4068

C:\Users\Admin\AppData\Local\Temp\tmp240694171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240694171.exe
142⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\tmp240694453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240694453.exe
143⤵
- Checks computer location settings
- Drops file in System32 directory
PID:4672

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
144⤵
PID:3784

C:\Users\Admin\AppData\Local\Temp\tmp240694828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240694828.exe
145⤵
PID:2752

C:\Users\Admin\AppData\Local\Temp\tmp240694921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240694921.exe
145⤵
PID:2736

C:\Users\Admin\AppData\Local\Temp\tmp240695078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240695078.exe
146⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\tmp240695171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240695171.exe
146⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\tmp240695265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240695265.exe
147⤵
PID:4364

C:\Users\Admin\AppData\Local\Temp\tmp240695312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240695312.exe
147⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\tmp240695437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240695437.exe
148⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\tmp240695453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240695453.exe
148⤵
PID:4576

C:\Users\Admin\AppData\Local\Temp\tmp240694484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240694484.exe
143⤵
PID:3288

C:\Users\Admin\AppData\Local\Temp\tmp240694562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240694562.exe
144⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\tmp240694656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240694656.exe
144⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\tmp240692937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240692937.exe
139⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\tmp240689125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240689125.exe
134⤵
PID:3980

C:\Users\Admin\AppData\Local\Temp\tmp240652406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240652406.exe
129⤵
PID:2720

C:\Users\Admin\AppData\Local\Temp\tmp240655281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240655281.exe
130⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\tmp240671046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240671046.exe
130⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\tmp240649734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649734.exe
125⤵
PID:3636

C:\Users\Admin\AppData\Local\Temp\tmp240650281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650281.exe
126⤵
PID:2004

C:\Users\Admin\AppData\Local\Temp\tmp240650515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650515.exe
126⤵
PID:4692

C:\Users\Admin\AppData\Local\Temp\tmp240650843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650843.exe
127⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\tmp240651234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651234.exe
127⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\tmp240651437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651437.exe
128⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\tmp240651625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651625.exe
128⤵
PID:4620

C:\Users\Admin\AppData\Local\Temp\tmp240649140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649140.exe
123⤵
PID:1468

C:\Users\Admin\AppData\Local\Temp\tmp240649562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649562.exe
124⤵
PID:1848

C:\Users\Admin\AppData\Local\Temp\tmp240649718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240649718.exe
124⤵
PID:4256

C:\Users\Admin\AppData\Local\Temp\tmp240650046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650046.exe
125⤵
PID:3128

C:\Users\Admin\AppData\Local\Temp\tmp240650453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240650453.exe
125⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\tmp240651109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651109.exe
126⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\tmp240651296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240651296.exe
126⤵
PID:3300

C:\Users\Admin\AppData\Local\Temp\tmp240647625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240647625.exe
121⤵
PID:2220

C:\Users\Admin\AppData\Local\Temp\tmp240648015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648015.exe
122⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\tmp240648281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648281.exe
122⤵
PID:3776

C:\Users\Admin\AppData\Local\Temp\tmp240648500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648500.exe
123⤵
PID:2880

C:\Users\Admin\AppData\Local\Temp\tmp240648843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240648843.exe
123⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\tmp240646656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646656.exe
119⤵
PID:4892

C:\Users\Admin\AppData\Local\Temp\tmp240646703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646703.exe
120⤵
PID:4800

C:\Users\Admin\AppData\Local\Temp\tmp240646750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646750.exe
120⤵
PID:2272

C:\Users\Admin\AppData\Local\Temp\tmp240646781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646781.exe
121⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\tmp240646796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646796.exe
121⤵
PID:4940

C:\Users\Admin\AppData\Local\Temp\tmp240646406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646406.exe
117⤵
PID:4056

C:\Users\Admin\AppData\Local\Temp\tmp240646437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646437.exe
118⤵
PID:1444

C:\Users\Admin\AppData\Local\Temp\tmp240646468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646468.exe
118⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\tmp240646515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646515.exe
119⤵
PID:2160

C:\Users\Admin\AppData\Local\Temp\tmp240646531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646531.exe
119⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\tmp240646078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646078.exe
115⤵
PID:2196

C:\Users\Admin\AppData\Local\Temp\tmp240646156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646156.exe
116⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\tmp240646187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646187.exe
116⤵
PID:1728

C:\Users\Admin\AppData\Local\Temp\tmp240646250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646250.exe
117⤵
PID:2468

C:\Users\Admin\AppData\Local\Temp\tmp240646265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240646265.exe
117⤵
PID:980

C:\Users\Admin\AppData\Local\Temp\tmp240645781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645781.exe
113⤵
PID:2900

C:\Users\Admin\AppData\Local\Temp\tmp240645828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645828.exe
114⤵
PID:5044

C:\Users\Admin\AppData\Local\Temp\tmp240645843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645843.exe
114⤵
PID:3588

C:\Users\Admin\AppData\Local\Temp\tmp240645500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645500.exe
111⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\tmp240645562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645562.exe
112⤵
PID:1996

C:\Users\Admin\AppData\Local\Temp\tmp240645578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645578.exe
112⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\tmp240645171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645171.exe
109⤵
PID:456

C:\Users\Admin\AppData\Local\Temp\tmp240644968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240644968.exe
107⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\tmp240644703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240644703.exe
105⤵
PID:4620

C:\Users\Admin\AppData\Local\Temp\tmp240644546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240644546.exe
103⤵
PID:684

C:\Users\Admin\AppData\Local\Temp\tmp240644343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240644343.exe
101⤵
PID:4824

C:\Users\Admin\AppData\Local\Temp\tmp240643671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240643671.exe
99⤵
PID:3424

C:\Users\Admin\AppData\Local\Temp\tmp240643406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240643406.exe
97⤵
PID:3332

C:\Users\Admin\AppData\Local\Temp\tmp240643171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240643171.exe
95⤵
PID:3176

C:\Users\Admin\AppData\Local\Temp\tmp240642984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642984.exe
93⤵
PID:4260

C:\Users\Admin\AppData\Local\Temp\tmp240642734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642734.exe
91⤵
PID:460

C:\Users\Admin\AppData\Local\Temp\tmp240642500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642500.exe
89⤵
PID:3532

C:\Users\Admin\AppData\Local\Temp\tmp240642265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642265.exe
87⤵
PID:4624

C:\Users\Admin\AppData\Local\Temp\tmp240642109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240642109.exe
85⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\tmp240641890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641890.exe
83⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\tmp240641625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641625.exe
81⤵
PID:3284

C:\Users\Admin\AppData\Local\Temp\tmp240641265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240641265.exe
79⤵
PID:1648

C:\Users\Admin\AppData\Local\Temp\tmp240625890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240625890.exe
77⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\tmp240605000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240605000.exe
75⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\tmp240604750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240604750.exe
73⤵
PID:3384

C:\Users\Admin\AppData\Local\Temp\tmp240604421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240604421.exe
71⤵
PID:3380

C:\Users\Admin\AppData\Local\Temp\tmp240604140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240604140.exe
69⤵
PID:5092

C:\Users\Admin\AppData\Local\Temp\tmp240603812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240603812.exe
67⤵
PID:2356

C:\Users\Admin\AppData\Local\Temp\tmp240603437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240603437.exe
65⤵
PID:4620

C:\Users\Admin\AppData\Local\Temp\tmp240602984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240602984.exe
63⤵
PID:4840

C:\Users\Admin\AppData\Local\Temp\tmp240602718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240602718.exe
61⤵
PID:3092

C:\Users\Admin\AppData\Local\Temp\tmp240602437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240602437.exe
59⤵
PID:3468

C:\Users\Admin\AppData\Local\Temp\tmp240602078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240602078.exe
57⤵
PID:4484

C:\Users\Admin\AppData\Local\Temp\tmp240601828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240601828.exe
55⤵
PID:4412

C:\Users\Admin\AppData\Local\Temp\tmp240601531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240601531.exe
53⤵
PID:3580

C:\Users\Admin\AppData\Local\Temp\tmp240601203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240601203.exe
51⤵
PID:224

C:\Users\Admin\AppData\Local\Temp\tmp240600968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600968.exe
49⤵
PID:3428

C:\Users\Admin\AppData\Local\Temp\tmp240600656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600656.exe
47⤵
PID:2608

C:\Users\Admin\AppData\Local\Temp\tmp240600375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600375.exe
45⤵
PID:3756

C:\Users\Admin\AppData\Local\Temp\tmp240600015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600015.exe
43⤵
- Executes dropped EXE
PID:2388

C:\Users\Admin\AppData\Local\Temp\tmp240599640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599640.exe
41⤵
- Executes dropped EXE
PID:4308

C:\Users\Admin\AppData\Local\Temp\tmp240599375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599375.exe
39⤵
- Executes dropped EXE
PID:4800

C:\Users\Admin\AppData\Local\Temp\tmp240598765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598765.exe
37⤵
- Executes dropped EXE
PID:976

C:\Users\Admin\AppData\Local\Temp\tmp240585468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240585468.exe
35⤵
- Executes dropped EXE
PID:4732

C:\Users\Admin\AppData\Local\Temp\tmp240584546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240584546.exe
33⤵
- Executes dropped EXE
PID:4300

C:\Users\Admin\AppData\Local\Temp\tmp240584296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240584296.exe
31⤵
- Executes dropped EXE
PID:4992

C:\Users\Admin\AppData\Local\Temp\tmp240584109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240584109.exe
29⤵
- Executes dropped EXE
PID:1684

C:\Users\Admin\AppData\Local\Temp\tmp240583093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240583093.exe
27⤵
- Executes dropped EXE
PID:1204

C:\Users\Admin\AppData\Local\Temp\tmp240582906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240582906.exe
25⤵
- Executes dropped EXE
PID:4172

C:\Users\Admin\AppData\Local\Temp\tmp240582625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240582625.exe
23⤵
- Executes dropped EXE
PID:4960

C:\Users\Admin\AppData\Local\Temp\tmp240581796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240581796.exe
21⤵
- Executes dropped EXE
PID:2304

C:\Users\Admin\AppData\Local\Temp\tmp240581281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240581281.exe
19⤵
- Executes dropped EXE
PID:1868

C:\Users\Admin\AppData\Local\Temp\tmp240579937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240579937.exe
17⤵
- Executes dropped EXE
PID:3336

C:\Users\Admin\AppData\Local\Temp\tmp240579375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240579375.exe
15⤵
- Executes dropped EXE
PID:2700

C:\Users\Admin\AppData\Local\Temp\tmp240562203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240562203.exe
13⤵
- Executes dropped EXE
PID:3180

C:\Users\Admin\AppData\Local\Temp\tmp240561921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240561921.exe
11⤵
- Executes dropped EXE
PID:3980

C:\Users\Admin\AppData\Local\Temp\tmp240561640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240561640.exe
9⤵
- Executes dropped EXE
PID:1200

C:\Users\Admin\AppData\Local\Temp\tmp240561140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240561140.exe
7⤵
- Executes dropped EXE
PID:4308

C:\Users\Admin\AppData\Local\Temp\tmp240560703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240560703.exe
5⤵
- Executes dropped EXE
PID:2232

C:\Users\Admin\AppData\Local\Temp\tmp240560390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240560390.exe
3⤵
- Executes dropped EXE
PID:1588

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240560156.exe

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240560156.exe

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240560390.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240560625.exe

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240560625.exe

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240560703.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240561093.exe

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240561093.exe

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240561140.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240561531.exe

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240561531.exe

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240561640.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240561843.exe

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240561843.exe

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240561921.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240562093.exe

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240562093.exe

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240562203.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240562593.exe

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240562593.exe

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240579375.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240579843.exe

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240579843.exe

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240579937.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240580218.exe

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240580218.exe

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240581281.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240581703.exe

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240581703.exe

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240581796.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240582015.exe

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240582015.exe

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
883KB

MD5
44c6664ce2278eb1f4c2c2324a4aed38

SHA1
e02a0cae906c6da6c9750e4cbf7314565c6a2d22

SHA256
0f6104d6779378c1a07ccf6e1a544ba59578b91cdf9d16e97b23b17736bc5fd2

SHA512
b14e810469dc52fe68bd2a65a050287cf9412325557c65dfe6ca2ae3a8bb465e239085d877a6521710dc88f0e2e68dbd6cc7cf557281f95c882217d135d47b31

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.0MB

MD5
2ead3af3fd20e047d98ce696ef84e4db

SHA1
1a6174251d850e45acdba9dcef14f14ec8e60e37

SHA256
1881703e1a94b2687e38538978b0a60ae3cb0c987ee147d950b70b237fdfcc22

SHA512
73c963ab07943f0ae7f0dc858c83746ce4baac7c4e0cf967fe6a422fbdad3700033f59e4cfb2a62753b78e7feb1fbacef760d0f3e1b3b703649a939826866924

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.0MB

MD5
2ead3af3fd20e047d98ce696ef84e4db

SHA1
1a6174251d850e45acdba9dcef14f14ec8e60e37

SHA256
1881703e1a94b2687e38538978b0a60ae3cb0c987ee147d950b70b237fdfcc22

SHA512
73c963ab07943f0ae7f0dc858c83746ce4baac7c4e0cf967fe6a422fbdad3700033f59e4cfb2a62753b78e7feb1fbacef760d0f3e1b3b703649a939826866924

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.0MB

MD5
2ead3af3fd20e047d98ce696ef84e4db

SHA1
1a6174251d850e45acdba9dcef14f14ec8e60e37

SHA256
1881703e1a94b2687e38538978b0a60ae3cb0c987ee147d950b70b237fdfcc22

SHA512
73c963ab07943f0ae7f0dc858c83746ce4baac7c4e0cf967fe6a422fbdad3700033f59e4cfb2a62753b78e7feb1fbacef760d0f3e1b3b703649a939826866924

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.0MB

MD5
2ead3af3fd20e047d98ce696ef84e4db

SHA1
1a6174251d850e45acdba9dcef14f14ec8e60e37

SHA256
1881703e1a94b2687e38538978b0a60ae3cb0c987ee147d950b70b237fdfcc22

SHA512
73c963ab07943f0ae7f0dc858c83746ce4baac7c4e0cf967fe6a422fbdad3700033f59e4cfb2a62753b78e7feb1fbacef760d0f3e1b3b703649a939826866924

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.0MB

MD5
2ead3af3fd20e047d98ce696ef84e4db

SHA1
1a6174251d850e45acdba9dcef14f14ec8e60e37

SHA256
1881703e1a94b2687e38538978b0a60ae3cb0c987ee147d950b70b237fdfcc22

SHA512
73c963ab07943f0ae7f0dc858c83746ce4baac7c4e0cf967fe6a422fbdad3700033f59e4cfb2a62753b78e7feb1fbacef760d0f3e1b3b703649a939826866924

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.0MB

MD5
2ead3af3fd20e047d98ce696ef84e4db

SHA1
1a6174251d850e45acdba9dcef14f14ec8e60e37

SHA256
1881703e1a94b2687e38538978b0a60ae3cb0c987ee147d950b70b237fdfcc22

SHA512
73c963ab07943f0ae7f0dc858c83746ce4baac7c4e0cf967fe6a422fbdad3700033f59e4cfb2a62753b78e7feb1fbacef760d0f3e1b3b703649a939826866924

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.0MB

MD5
2ead3af3fd20e047d98ce696ef84e4db

SHA1
1a6174251d850e45acdba9dcef14f14ec8e60e37

SHA256
1881703e1a94b2687e38538978b0a60ae3cb0c987ee147d950b70b237fdfcc22

SHA512
73c963ab07943f0ae7f0dc858c83746ce4baac7c4e0cf967fe6a422fbdad3700033f59e4cfb2a62753b78e7feb1fbacef760d0f3e1b3b703649a939826866924

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.0MB

MD5
2ead3af3fd20e047d98ce696ef84e4db

SHA1
1a6174251d850e45acdba9dcef14f14ec8e60e37

SHA256
1881703e1a94b2687e38538978b0a60ae3cb0c987ee147d950b70b237fdfcc22

SHA512
73c963ab07943f0ae7f0dc858c83746ce4baac7c4e0cf967fe6a422fbdad3700033f59e4cfb2a62753b78e7feb1fbacef760d0f3e1b3b703649a939826866924

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.0MB

MD5
2ead3af3fd20e047d98ce696ef84e4db

SHA1
1a6174251d850e45acdba9dcef14f14ec8e60e37

SHA256
1881703e1a94b2687e38538978b0a60ae3cb0c987ee147d950b70b237fdfcc22

SHA512
73c963ab07943f0ae7f0dc858c83746ce4baac7c4e0cf967fe6a422fbdad3700033f59e4cfb2a62753b78e7feb1fbacef760d0f3e1b3b703649a939826866924

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.0MB

MD5
2ead3af3fd20e047d98ce696ef84e4db

SHA1
1a6174251d850e45acdba9dcef14f14ec8e60e37

SHA256
1881703e1a94b2687e38538978b0a60ae3cb0c987ee147d950b70b237fdfcc22

SHA512
73c963ab07943f0ae7f0dc858c83746ce4baac7c4e0cf967fe6a422fbdad3700033f59e4cfb2a62753b78e7feb1fbacef760d0f3e1b3b703649a939826866924

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.0MB

MD5
2ead3af3fd20e047d98ce696ef84e4db

SHA1
1a6174251d850e45acdba9dcef14f14ec8e60e37

SHA256
1881703e1a94b2687e38538978b0a60ae3cb0c987ee147d950b70b237fdfcc22

SHA512
73c963ab07943f0ae7f0dc858c83746ce4baac7c4e0cf967fe6a422fbdad3700033f59e4cfb2a62753b78e7feb1fbacef760d0f3e1b3b703649a939826866924

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.0MB

MD5
2ead3af3fd20e047d98ce696ef84e4db

SHA1
1a6174251d850e45acdba9dcef14f14ec8e60e37

SHA256
1881703e1a94b2687e38538978b0a60ae3cb0c987ee147d950b70b237fdfcc22

SHA512
73c963ab07943f0ae7f0dc858c83746ce4baac7c4e0cf967fe6a422fbdad3700033f59e4cfb2a62753b78e7feb1fbacef760d0f3e1b3b703649a939826866924

Download Submit
memory/228-196-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/228-204-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/228-194-0x0000000000000000-mapping.dmp

Download
memory/332-143-0x0000000000000000-mapping.dmp

Download
memory/332-152-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/404-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/720-245-0x0000000000000000-mapping.dmp

Download
memory/752-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/916-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/916-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/976-275-0x0000000000000000-mapping.dmp

Download
memory/996-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1200-171-0x0000000000000000-mapping.dmp

Download
memory/1204-250-0x0000000000000000-mapping.dmp

Download
memory/1304-208-0x0000000000000000-mapping.dmp

Download
memory/1308-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1488-251-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1488-248-0x0000000000000000-mapping.dmp

Download
memory/1588-138-0x0000000000000000-mapping.dmp

Download
memory/1636-270-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1636-265-0x0000000000000000-mapping.dmp

Download
memory/1636-266-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1636-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1684-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1684-255-0x0000000000000000-mapping.dmp

Download
memory/1736-257-0x0000000000000000-mapping.dmp

Download
memory/1736-260-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1820-193-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1820-184-0x0000000000000000-mapping.dmp

Download
memory/1832-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1868-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1868-222-0x0000000000000000-mapping.dmp

Download
memory/2008-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2108-132-0x0000000000000000-mapping.dmp

Download
memory/2108-142-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2184-272-0x0000000000000000-mapping.dmp

Download
memory/2220-280-0x0000000000000000-mapping.dmp

Download
memory/2220-283-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2232-148-0x0000000000000000-mapping.dmp

Download
memory/2304-232-0x0000000000000000-mapping.dmp

Download
memory/2320-227-0x0000000000000000-mapping.dmp

Download
memory/2320-236-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2360-174-0x0000000000000000-mapping.dmp

Download
memory/2360-183-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2380-135-0x0000000000000000-mapping.dmp

Download
memory/2388-286-0x0000000000000000-mapping.dmp

Download
memory/2388-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2396-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2396-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2492-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2560-163-0x0000000000000000-mapping.dmp

Download
memory/2560-173-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2560-165-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2700-200-0x0000000000000000-mapping.dmp

Download
memory/2720-244-0x0000000000000000-mapping.dmp

Download
memory/2720-247-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2796-229-0x0000000000000000-mapping.dmp

Download
memory/2880-284-0x0000000000000000-mapping.dmp

Download
memory/2880-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2884-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3064-281-0x0000000000000000-mapping.dmp

Download
memory/3136-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3148-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3148-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3148-271-0x0000000000000000-mapping.dmp

Download
memory/3180-189-0x0000000000000000-mapping.dmp

Download
memory/3236-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3288-262-0x0000000000000000-mapping.dmp

Download
memory/3300-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3300-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3336-213-0x0000000000000000-mapping.dmp

Download
memory/3376-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3380-249-0x0000000000000000-mapping.dmp

Download
memory/3424-197-0x0000000000000000-mapping.dmp

Download
memory/3564-226-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3564-218-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3564-216-0x0000000000000000-mapping.dmp

Download
memory/3596-279-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3596-273-0x0000000000000000-mapping.dmp

Download
memory/3636-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3652-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3656-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3756-166-0x0000000000000000-mapping.dmp

Download
memory/3980-179-0x0000000000000000-mapping.dmp

Download
memory/4060-267-0x0000000000000000-mapping.dmp

Download
memory/4172-246-0x0000000000000000-mapping.dmp

Download
memory/4180-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4180-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4208-186-0x0000000000000000-mapping.dmp

Download
memory/4224-239-0x0000000000000000-mapping.dmp

Download
memory/4272-254-0x0000000000000000-mapping.dmp

Download
memory/4300-263-0x0000000000000000-mapping.dmp

Download
memory/4304-253-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4304-252-0x0000000000000000-mapping.dmp

Download
memory/4304-256-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4308-160-0x0000000000000000-mapping.dmp

Download
memory/4308-282-0x0000000000000000-mapping.dmp

Download
memory/4372-176-0x0000000000000000-mapping.dmp

Download
memory/4388-285-0x0000000000000000-mapping.dmp

Download
memory/4496-219-0x0000000000000000-mapping.dmp

Download
memory/4664-261-0x0000000000000000-mapping.dmp

Download
memory/4664-264-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4732-269-0x0000000000000000-mapping.dmp

Download
memory/4732-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4732-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4756-237-0x0000000000000000-mapping.dmp

Download
memory/4756-243-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4764-162-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4764-153-0x0000000000000000-mapping.dmp

Download
memory/4800-278-0x0000000000000000-mapping.dmp

Download
memory/4824-215-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4824-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4824-205-0x0000000000000000-mapping.dmp

Download
memory/4824-207-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4876-276-0x0000000000000000-mapping.dmp

Download
memory/4888-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4888-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4888-288-0x0000000000000000-mapping.dmp

Download
memory/4892-145-0x0000000000000000-mapping.dmp

Download
memory/4924-258-0x0000000000000000-mapping.dmp

Download
memory/4952-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4960-303-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4960-242-0x0000000000000000-mapping.dmp

Download
memory/4992-259-0x0000000000000000-mapping.dmp

Download
memory/5004-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5024-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5024-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5052-155-0x0000000000000000-mapping.dmp

Download