3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b

Analysis

max time kernel
22s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 20:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b.exe
Size

5.2MB
MD5

788810168de6f1000118ff3923e105dd
SHA1

96d23b1692efd3a2608835eac6e2e11e4dc7b8d0
SHA256

3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b
SHA512

68f050d155dfd2554205bd477a78e85f76e0f20bdf34449cf15996e99303102479bfb9c9da4a355436e099c715bc85daf96a7df16ecfbb457c0993bb5da3e0b3
SSDEEP

12288:HPgdPrPFdPZdPiPFdPZdPFPFdPZdPhPgdPrPFdPZdPiPFdPZdPFPFdPZdPTPgdPc:

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 31 IoCs

pid	Process
3044	tmp240567265.exe
1456	tmp240567328.exe
4532	tmp240568468.exe
5012	tmp240568968.exe
3996	tmp240570000.exe
3860	tmp240572109.exe
3592	tmp240572375.exe
2880	tmp240572421.exe
2136	tmp240572531.exe
216	tmp240572562.exe
2696	tmp240572640.exe
4536	tmp240572796.exe
4644	notpad.exe
4136	tmp240573109.exe
1016	tmp240619359.exe
424	tmp240594609.exe
4308	tmp240573250.exe
4056	tmp240573500.exe
3056	notpad.exe
4348	tmp240573843.exe
4244	tmp240595640.exe
5044	tmp240573968.exe
1404	tmp240574156.exe
4396	tmp240595843.exe
3132	tmp240617453.exe
1228	tmp240574421.exe
4152	notpad.exe
1944	tmp240605062.exe
1196	tmp240596421.exe
2780	tmp240666046.exe
2656	tmp240706718.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/848-135-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0004000000022dee-138.dat	upx
behavioral2/files/0x0004000000022dee-137.dat	upx
behavioral2/memory/848-139-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1456-143-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1456-147-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0001000000022dfb-146.dat	upx
behavioral2/files/0x0001000000022dfb-145.dat	upx
behavioral2/memory/5012-148-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0001000000022dfe-155.dat	upx
behavioral2/memory/5012-154-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0001000000022e01-161.dat	upx
behavioral2/memory/3860-162-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2880-169-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0001000000022e04-168.dat	upx
behavioral2/files/0x0001000000022e04-167.dat	upx
behavioral2/files/0x0002000000022df7-178.dat	upx
behavioral2/memory/4536-192-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4644-194-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0002000000022e10-202.dat	upx
behavioral2/memory/424-203-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022df7-212.dat	upx
behavioral2/files/0x0001000000022e11-211.dat	upx
behavioral2/files/0x0001000000022e18-225.dat	upx
behavioral2/files/0x0001000000022e18-224.dat	upx
behavioral2/memory/4244-221-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0001000000022df5-217.dat	upx
behavioral2/memory/3056-213-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022df7-210.dat	upx
behavioral2/files/0x0001000000022e11-209.dat	upx
behavioral2/files/0x0002000000022e17-229.dat	upx
behavioral2/files/0x0002000000022e17-230.dat	upx
behavioral2/memory/5044-231-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4244-228-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0001000000022e11-233.dat	upx
behavioral2/memory/5044-226-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0002000000022e10-201.dat	upx
behavioral2/files/0x0001000000022df5-198.dat	upx
behavioral2/files/0x0001000000022e0b-191.dat	upx
behavioral2/files/0x0001000000022e0b-190.dat	upx
behavioral2/memory/4644-188-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4536-186-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1228-236-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4152-235-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3132-234-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/216-179-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0002000000022df7-177.dat	upx
behavioral2/files/0x0001000000022e07-176.dat	upx
behavioral2/files/0x0001000000022e07-175.dat	upx
behavioral2/files/0x0001000000022e01-160.dat	upx
behavioral2/files/0x0001000000022dfe-153.dat	upx
behavioral2/files/0x0001000000022e11-246.dat	upx
behavioral2/files/0x0001000000022df5-241.dat	upx
behavioral2/memory/2780-247-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1228-252-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3132-253-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/456-255-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2780-264-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4372-273-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3620-276-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1832-275-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/456-271-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4128-269-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4152-265-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240607156.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240573500.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240574156.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240605062.exe

Drops file in System32 directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240574156.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240574156.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240605062.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240605062.exe
File created	C:\Windows\SysWOW64\fsb.tmp	tmp240567265.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240567265.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240567265.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240573500.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240605062.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240567265.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240573500.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240573500.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240574156.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3612	756	WerFault.exe	114

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240567265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240573500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240574156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240605062.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 848 wrote to memory of 3044	848	3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b.exe	82
PID 848 wrote to memory of 3044	848	3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b.exe	82
PID 848 wrote to memory of 3044	848	3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b.exe	82
PID 848 wrote to memory of 1456	848	3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b.exe	83
PID 848 wrote to memory of 1456	848	3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b.exe	83
PID 848 wrote to memory of 1456	848	3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b.exe	83
PID 1456 wrote to memory of 4532	1456	tmp240567328.exe	84
PID 1456 wrote to memory of 4532	1456	tmp240567328.exe	84
PID 1456 wrote to memory of 4532	1456	tmp240567328.exe	84
PID 1456 wrote to memory of 5012	1456	tmp240567328.exe	85
PID 1456 wrote to memory of 5012	1456	tmp240567328.exe	85
PID 1456 wrote to memory of 5012	1456	tmp240567328.exe	85
PID 5012 wrote to memory of 3996	5012	tmp240568968.exe	86
PID 5012 wrote to memory of 3996	5012	tmp240568968.exe	86
PID 5012 wrote to memory of 3996	5012	tmp240568968.exe	86
PID 5012 wrote to memory of 3860	5012	tmp240568968.exe	87
PID 5012 wrote to memory of 3860	5012	tmp240568968.exe	87
PID 5012 wrote to memory of 3860	5012	tmp240568968.exe	87
PID 3860 wrote to memory of 3592	3860	tmp240572109.exe	88
PID 3860 wrote to memory of 3592	3860	tmp240572109.exe	88
PID 3860 wrote to memory of 3592	3860	tmp240572109.exe	88
PID 3860 wrote to memory of 2880	3860	tmp240572109.exe	108
PID 3860 wrote to memory of 2880	3860	tmp240572109.exe	108
PID 3860 wrote to memory of 2880	3860	tmp240572109.exe	108
PID 2880 wrote to memory of 2136	2880	tmp240572421.exe	107
PID 2880 wrote to memory of 2136	2880	tmp240572421.exe	107
PID 2880 wrote to memory of 2136	2880	tmp240572421.exe	107
PID 2880 wrote to memory of 216	2880	tmp240572421.exe	89
PID 2880 wrote to memory of 216	2880	tmp240572421.exe	89
PID 2880 wrote to memory of 216	2880	tmp240572421.exe	89
PID 216 wrote to memory of 2696	216	tmp240598359.exe	90
PID 216 wrote to memory of 2696	216	tmp240598359.exe	90
PID 216 wrote to memory of 2696	216	tmp240598359.exe	90
PID 216 wrote to memory of 4536	216	tmp240607296.exe	91
PID 216 wrote to memory of 4536	216	tmp240607296.exe	91
PID 216 wrote to memory of 4536	216	tmp240607296.exe	91
PID 3044 wrote to memory of 4644	3044	tmp240616234.exe	296
PID 3044 wrote to memory of 4644	3044	tmp240616234.exe	296
PID 3044 wrote to memory of 4644	3044	tmp240616234.exe	296
PID 4536 wrote to memory of 4136	4536	tmp240572796.exe	106
PID 4536 wrote to memory of 4136	4536	tmp240572796.exe	106
PID 4536 wrote to memory of 4136	4536	tmp240572796.exe	106
PID 4644 wrote to memory of 1016	4644	notpad.exe	481
PID 4644 wrote to memory of 1016	4644	notpad.exe	481
PID 4644 wrote to memory of 1016	4644	notpad.exe	481
PID 4536 wrote to memory of 424	4536	tmp240572796.exe	238
PID 4536 wrote to memory of 424	4536	tmp240572796.exe	238
PID 4536 wrote to memory of 424	4536	tmp240572796.exe	238
PID 4644 wrote to memory of 4308	4644	notpad.exe	93
PID 4644 wrote to memory of 4308	4644	notpad.exe	93
PID 4644 wrote to memory of 4308	4644	notpad.exe	93
PID 424 wrote to memory of 4056	424	tmp240594609.exe	94
PID 424 wrote to memory of 4056	424	tmp240594609.exe	94
PID 424 wrote to memory of 4056	424	tmp240594609.exe	94
PID 424 wrote to memory of 3056	424	tmp240594609.exe	235
PID 424 wrote to memory of 3056	424	tmp240594609.exe	235
PID 424 wrote to memory of 3056	424	tmp240594609.exe	235
PID 3056 wrote to memory of 4348	3056	notpad.exe	96
PID 3056 wrote to memory of 4348	3056	notpad.exe	96
PID 3056 wrote to memory of 4348	3056	notpad.exe	96
PID 4056 wrote to memory of 4244	4056	tmp240573500.exe	160
PID 4056 wrote to memory of 4244	4056	tmp240573500.exe	160
PID 4056 wrote to memory of 4244	4056	tmp240573500.exe	160
PID 3056 wrote to memory of 5044	3056	notpad.exe	97

C:\Users\Admin\AppData\Local\Temp\3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b.exe
"C:\Users\Admin\AppData\Local\Temp\3f9a118b18858a5fc9d37000e768fb8e8d139bef2e78af902d07ee76fefe8f6b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:848
- C:\Users\Admin\AppData\Local\Temp\tmp240567265.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240567265.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:3044
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:4644
  - - C:\Users\Admin\AppData\Local\Temp\tmp240573250.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240573250.exe
      4⤵
      Executes dropped EXE
      PID:4308
  - - C:\Users\Admin\AppData\Local\Temp\tmp240573125.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240573125.exe
      4⤵
      PID:1016
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:2252
      - C:\Users\Admin\AppData\Local\Temp\tmp240598765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598765.exe
        6⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598843.exe
        7⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598796.exe
        7⤵
        
        PID:1688
      - C:\Users\Admin\AppData\Local\Temp\tmp240598703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598703.exe
        6⤵
        
        PID:1940
  - - C:\Users\Admin\AppData\Local\Temp\tmp240607593.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240607593.exe
      4⤵
      PID:5064
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:2400
  - - C:\Users\Admin\AppData\Local\Temp\tmp240607609.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240607609.exe
      4⤵
      PID:1976
    - - C:\Users\Admin\AppData\Local\Temp\tmp240607640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607640.exe
        5⤵
        
        PID:4408
    - - C:\Users\Admin\AppData\Local\Temp\tmp240607656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607656.exe
        5⤵
        
        PID:4856
      - C:\Users\Admin\AppData\Local\Temp\tmp240607718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607718.exe
        6⤵
        
        PID:2252
      - C:\Users\Admin\AppData\Local\Temp\tmp240607734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607734.exe
        6⤵
        
        PID:3168
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:2312
- C:\Users\Admin\AppData\Local\Temp\tmp240567328.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240567328.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1456
- - C:\Users\Admin\AppData\Local\Temp\tmp240568468.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240568468.exe
    3⤵
    - Executes dropped EXE
    PID:4532
- - C:\Users\Admin\AppData\Local\Temp\tmp240568968.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240568968.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Users\Admin\AppData\Local\Temp\tmp240570000.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240570000.exe
      4⤵
      Executes dropped EXE
      PID:3996
  - - C:\Users\Admin\AppData\Local\Temp\tmp240572109.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240572109.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3860
    - - C:\Users\Admin\AppData\Local\Temp\tmp240572375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572375.exe
        5⤵
        Executes dropped EXE
        
        PID:3592
    - - C:\Users\Admin\AppData\Local\Temp\tmp240572421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572421.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2880

C:\Users\Admin\AppData\Local\Temp\tmp240572562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240572562.exe
1⤵
- Executes dropped EXE
PID:216
- C:\Users\Admin\AppData\Local\Temp\tmp240572640.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240572640.exe
  2⤵
  - Executes dropped EXE
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\tmp240618796.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240618796.exe
    3⤵
    PID:3084
- - C:\Users\Admin\AppData\Local\Temp\tmp240618781.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240618781.exe
    3⤵
    PID:2412
- C:\Users\Admin\AppData\Local\Temp\tmp240572796.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240572796.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4536
- - C:\Users\Admin\AppData\Local\Temp\tmp240573218.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240573218.exe
    3⤵
    PID:424
- - C:\Users\Admin\AppData\Local\Temp\tmp240573109.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240573109.exe
    3⤵
    - Executes dropped EXE
    PID:4136
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:2160
- - C:\Users\Admin\AppData\Local\Temp\tmp240598546.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240598546.exe
    3⤵
    PID:3468
  - - C:\Users\Admin\AppData\Local\Temp\tmp240598593.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240598593.exe
      4⤵
      PID:1880
- - C:\Users\Admin\AppData\Local\Temp\tmp240598531.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240598531.exe
    3⤵
    PID:1016
  - - C:\Users\Admin\AppData\Local\Temp\tmp240616687.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240616687.exe
      4⤵
      PID:2520
  - - C:\Users\Admin\AppData\Local\Temp\tmp240616640.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240616640.exe
      4⤵
      PID:4856

C:\Users\Admin\AppData\Local\Temp\tmp240573500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240573500.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4056
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:4244

C:\Users\Admin\AppData\Local\Temp\tmp240573687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240573687.exe
1⤵
PID:3056
- C:\Users\Admin\AppData\Local\Temp\tmp240573843.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240573843.exe
  2⤵
  - Executes dropped EXE
  PID:4348
- C:\Users\Admin\AppData\Local\Temp\tmp240573968.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240573968.exe
  2⤵
  - Executes dropped EXE
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\tmp240574203.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240574203.exe
    3⤵
    PID:4396
- - C:\Users\Admin\AppData\Local\Temp\tmp240574421.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240574421.exe
    3⤵
    - Executes dropped EXE
    PID:1228
  - - C:\Users\Admin\AppData\Local\Temp\tmp240575500.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240575500.exe
      4⤵
      PID:1196
  - - C:\Users\Admin\AppData\Local\Temp\tmp240582000.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240582000.exe
      4⤵
      PID:756
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 224
        5⤵
        Program crash
        
        PID:3612
- C:\Users\Admin\AppData\Local\Temp\tmp240595593.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240595593.exe
  2⤵
  PID:5032
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:5056
  - - C:\Users\Admin\AppData\Local\Temp\tmp240595968.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240595968.exe
      4⤵
      PID:960
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:544
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638703.exe
        7⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638765.exe
        8⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638921.exe
        9⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638859.exe
        9⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638734.exe
        8⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635640.exe
        7⤵
        
        PID:4164
  - - C:\Users\Admin\AppData\Local\Temp\tmp240596000.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240596000.exe
      4⤵
      PID:3932
    - - C:\Users\Admin\AppData\Local\Temp\tmp240631890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631890.exe
        5⤵
        
        PID:2340
      - C:\Users\Admin\AppData\Local\Temp\tmp240631984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631984.exe
        6⤵
        
        PID:1520
      - C:\Users\Admin\AppData\Local\Temp\tmp240632203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632203.exe
        6⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638812.exe
        7⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638375.exe
        7⤵
        
        PID:3396
    - - C:\Users\Admin\AppData\Local\Temp\tmp240631640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631640.exe
        5⤵
        
        PID:3916
- C:\Users\Admin\AppData\Local\Temp\tmp240595640.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240595640.exe
  2⤵
  - Executes dropped EXE
  PID:4244
- - C:\Users\Admin\AppData\Local\Temp\tmp240595843.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240595843.exe
    3⤵
    - Executes dropped EXE
    PID:4396
- - C:\Users\Admin\AppData\Local\Temp\tmp240595765.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240595765.exe
    3⤵
    PID:744

C:\Users\Admin\AppData\Local\Temp\tmp240574156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240574156.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:1404
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  PID:4152
- - C:\Users\Admin\AppData\Local\Temp\tmp240575656.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240575656.exe
    3⤵
    PID:2656
- - C:\Users\Admin\AppData\Local\Temp\tmp240583203.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240583203.exe
    3⤵
    PID:4128
  - - C:\Users\Admin\AppData\Local\Temp\tmp240585078.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240585078.exe
      4⤵
      PID:3440
  - - C:\Users\Admin\AppData\Local\Temp\tmp240585218.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240585218.exe
      4⤵
      PID:2332

C:\Users\Admin\AppData\Local\Temp\tmp240574250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240574250.exe
1⤵
PID:3132
- C:\Users\Admin\AppData\Local\Temp\tmp240575390.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240575390.exe
  2⤵
  PID:1944
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:2780
  - - C:\Users\Admin\AppData\Local\Temp\tmp240585015.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240585015.exe
      4⤵
      PID:1832
    - - C:\Users\Admin\AppData\Local\Temp\tmp240585328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240585328.exe
        5⤵
        
        PID:2912
    - - C:\Users\Admin\AppData\Local\Temp\tmp240585125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240585125.exe
        5⤵
        
        PID:4368
  - - C:\Users\Admin\AppData\Local\Temp\tmp240582171.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240582171.exe
      4⤵
      PID:1800
- C:\Users\Admin\AppData\Local\Temp\tmp240581937.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240581937.exe
  2⤵
  PID:1376

C:\Users\Admin\AppData\Local\Temp\tmp240572531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240572531.exe
1⤵
- Executes dropped EXE
PID:2136

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:456
- C:\Users\Admin\AppData\Local\Temp\tmp240585062.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240585062.exe
  2⤵
  PID:4372
- C:\Users\Admin\AppData\Local\Temp\tmp240584906.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240584906.exe
  2⤵
  PID:1432

C:\Users\Admin\AppData\Local\Temp\tmp240585203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240585203.exe
1⤵
PID:4464

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3620
- C:\Users\Admin\AppData\Local\Temp\tmp240585546.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240585546.exe
  2⤵
  PID:2848
- C:\Users\Admin\AppData\Local\Temp\tmp240585656.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240585656.exe
  2⤵
  PID:5096
- - C:\Users\Admin\AppData\Local\Temp\tmp240586828.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240586828.exe
    3⤵
    PID:4620
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:524
    - - C:\Users\Admin\AppData\Local\Temp\tmp240590953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590953.exe
        5⤵
        
        PID:1876
    - - C:\Users\Admin\AppData\Local\Temp\tmp240592484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592484.exe
        5⤵
        
        PID:2208
- - C:\Users\Admin\AppData\Local\Temp\tmp240590796.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240590796.exe
    3⤵
    PID:4532
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:2316

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:5100
- C:\Users\Admin\AppData\Local\Temp\tmp240585859.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240585859.exe
  2⤵
  PID:2236
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:4172
  - - C:\Users\Admin\AppData\Local\Temp\tmp240586984.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240586984.exe
      4⤵
      PID:4156
  - - C:\Users\Admin\AppData\Local\Temp\tmp240590781.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240590781.exe
      4⤵
      PID:3928
    - - C:\Users\Admin\AppData\Local\Temp\tmp240590875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590875.exe
        5⤵
        
        PID:3324
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593093.exe
        7⤵
        
        PID:820
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595390.exe
        9⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603640.exe
        10⤵
        
        PID:744
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603890.exe
        12⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604718.exe
        12⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631796.exe
        11⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631781.exe
        11⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594609.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616656.exe
        9⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616734.exe
        10⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616718.exe
        10⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648968.exe
        11⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666031.exe
        13⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672671.exe
        13⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675671.exe
        14⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676000.exe
        15⤵
        
        PID:3980
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676906.exe
        17⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681046.exe
        17⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683234.exe
        18⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687093.exe
        20⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688531.exe
        20⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692984.exe
        21⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696218.exe
        21⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708078.exe
        22⤵
        
        PID:856
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685406.exe
        18⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686968.exe
        19⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688484.exe
        19⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690000.exe
        20⤵
        
        PID:3868
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694015.exe
        22⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698687.exe
        22⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704703.exe
        23⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708015.exe
        23⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708421.exe
        24⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693828.exe
        20⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698796.exe
        21⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701453.exe
        21⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705562.exe
        22⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706718.exe
        22⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708375.exe
        23⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712640.exe
        23⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676703.exe
        15⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679687.exe
        16⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681031.exe
        16⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683218.exe
        17⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674218.exe
        14⤵
        
        PID:480
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631609.exe
        11⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627171.exe
        11⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616625.exe
        9⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593203.exe
        7⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593281.exe
        8⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595343.exe
        10⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594781.exe
        10⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598984.exe
        10⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604671.exe
        12⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604750.exe
        13⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604843.exe
        13⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603703.exe
        12⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602515.exe
        10⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603734.exe
        11⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613781.exe
        12⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608234.exe
        12⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594625.exe
        8⤵
        
        PID:4980
    - - C:\Users\Admin\AppData\Local\Temp\tmp240592500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592500.exe
        5⤵
        
        PID:2136
    - - C:\Users\Admin\AppData\Local\Temp\tmp240618578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618578.exe
        5⤵
        
        PID:1384
    - - C:\Users\Admin\AppData\Local\Temp\tmp240618593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618593.exe
        5⤵
        
        PID:1784
      - C:\Users\Admin\AppData\Local\Temp\tmp240618703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618703.exe
        6⤵
        
        PID:2928
      - C:\Users\Admin\AppData\Local\Temp\tmp240618687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618687.exe
        6⤵
        
        PID:4908
      - C:\Users\Admin\AppData\Local\Temp\tmp240616109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616109.exe
        6⤵
        
        PID:4028
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:4620
    - - C:\Users\Admin\AppData\Local\Temp\tmp240683390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683390.exe
        5⤵
        
        PID:364
    - - C:\Users\Admin\AppData\Local\Temp\tmp240685437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685437.exe
        5⤵
        
        PID:2296
      - C:\Users\Admin\AppData\Local\Temp\tmp240688453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688453.exe
        6⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693000.exe
        8⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696187.exe
        8⤵
        
        PID:1256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708156.exe
        9⤵
        
        PID:1832
      - C:\Users\Admin\AppData\Local\Temp\tmp240689906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689906.exe
        6⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692921.exe
        7⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696171.exe
        7⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704765.exe
        8⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708062.exe
        8⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714062.exe
        9⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708390.exe
        9⤵
        
        PID:4656
- C:\Users\Admin\AppData\Local\Temp\tmp240586812.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240586812.exe
  2⤵
  PID:4060
- - C:\Users\Admin\AppData\Local\Temp\tmp240587953.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240587953.exe
    3⤵
    PID:3924
- - C:\Users\Admin\AppData\Local\Temp\tmp240590859.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240590859.exe
    3⤵
    PID:1312
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:4144

C:\Users\Admin\AppData\Local\Temp\tmp240585406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240585406.exe
1⤵
PID:3852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 756 -ip 756
1⤵
PID:2524

C:\Users\Admin\AppData\Local\Temp\tmp240593015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240593015.exe
1⤵
PID:3188

C:\Users\Admin\AppData\Local\Temp\tmp240592875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240592875.exe
1⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\tmp240595421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240595421.exe
1⤵
PID:2400
- C:\Users\Admin\AppData\Local\Temp\tmp240607812.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240607812.exe
  2⤵
  PID:1988
- - C:\Users\Admin\AppData\Local\Temp\tmp240607859.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240607859.exe
    3⤵
    PID:4552
- - C:\Users\Admin\AppData\Local\Temp\tmp240607843.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240607843.exe
    3⤵
    PID:3316
- C:\Users\Admin\AppData\Local\Temp\tmp240607796.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240607796.exe
  2⤵
  PID:4296

C:\Users\Admin\AppData\Local\Temp\tmp240595484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240595484.exe
1⤵
PID:5076
- C:\Users\Admin\AppData\Local\Temp\tmp240616875.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240616875.exe
  2⤵
  PID:932
- C:\Users\Admin\AppData\Local\Temp\tmp240616843.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240616843.exe
  2⤵
  PID:4552

C:\Users\Admin\AppData\Local\Temp\tmp240596187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240596187.exe
1⤵
PID:3024
- C:\Users\Admin\AppData\Local\Temp\tmp240596234.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240596234.exe
  2⤵
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\tmp240613859.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240613859.exe
    3⤵
    PID:4672
- - C:\Users\Admin\AppData\Local\Temp\tmp240613921.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240613921.exe
    3⤵
    PID:4828
  - - C:\Users\Admin\AppData\Local\Temp\tmp240614109.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240614109.exe
      4⤵
      PID:2740
  - - C:\Users\Admin\AppData\Local\Temp\tmp240614000.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240614000.exe
      4⤵
      PID:384
- C:\Users\Admin\AppData\Local\Temp\tmp240596218.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240596218.exe
  2⤵
  PID:2820

C:\Users\Admin\AppData\Local\Temp\tmp240596171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240596171.exe
1⤵
PID:2740
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:2440
- - C:\Users\Admin\AppData\Local\Temp\tmp240596375.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240596375.exe
    3⤵
    PID:5048
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:876
- - C:\Users\Admin\AppData\Local\Temp\tmp240596421.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240596421.exe
    3⤵
    - Executes dropped EXE
    PID:1196
  - - C:\Users\Admin\AppData\Local\Temp\tmp240596531.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240596531.exe
      4⤵
      PID:2352
  - - C:\Users\Admin\AppData\Local\Temp\tmp240596500.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240596500.exe
      4⤵
      PID:4788

C:\Users\Admin\AppData\Local\Temp\tmp240596671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240596671.exe
1⤵
PID:4332
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\tmp240596843.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240596843.exe
    3⤵
    PID:1144
- - C:\Users\Admin\AppData\Local\Temp\tmp240596828.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240596828.exe
    3⤵
    PID:1496

C:\Users\Admin\AppData\Local\Temp\tmp240596906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240596906.exe
1⤵
PID:3020

C:\Users\Admin\AppData\Local\Temp\tmp240596984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240596984.exe
1⤵
PID:3564
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:372

C:\Users\Admin\AppData\Local\Temp\tmp240597156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597156.exe
1⤵
PID:3096
- C:\Users\Admin\AppData\Local\Temp\tmp240597187.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240597187.exe
  2⤵
  PID:3876
- C:\Users\Admin\AppData\Local\Temp\tmp240597203.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240597203.exe
  2⤵
  PID:4328

C:\Users\Admin\AppData\Local\Temp\tmp240597375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597375.exe
1⤵
PID:1020

C:\Users\Admin\AppData\Local\Temp\tmp240597359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597359.exe
1⤵
PID:4160
- C:\Users\Admin\AppData\Local\Temp\tmp240597406.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240597406.exe
  2⤵
  PID:3636

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1724
- C:\Users\Admin\AppData\Local\Temp\tmp240597515.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240597515.exe
  2⤵
  PID:4624
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:3924
  - - C:\Users\Admin\AppData\Local\Temp\tmp240597937.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240597937.exe
      4⤵
      PID:5116
    - - C:\Users\Admin\AppData\Local\Temp\tmp240597984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597984.exe
        5⤵
        
        PID:3684
    - - C:\Users\Admin\AppData\Local\Temp\tmp240598000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598000.exe
        5⤵
        
        PID:4208
  - - C:\Users\Admin\AppData\Local\Temp\tmp240597828.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240597828.exe
      4⤵
      PID:4060
- C:\Users\Admin\AppData\Local\Temp\tmp240597640.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240597640.exe
  2⤵
  PID:1380
- - C:\Users\Admin\AppData\Local\Temp\tmp240597687.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240597687.exe
    3⤵
    PID:3512
- - C:\Users\Admin\AppData\Local\Temp\tmp240597671.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240597671.exe
    3⤵
    PID:2224

C:\Users\Admin\AppData\Local\Temp\tmp240598125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598125.exe
1⤵
PID:524
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:3060
- - C:\Users\Admin\AppData\Local\Temp\tmp240598375.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240598375.exe
    3⤵
    PID:3404
- - C:\Users\Admin\AppData\Local\Temp\tmp240598359.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240598359.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:216

C:\Users\Admin\AppData\Local\Temp\tmp240598140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598140.exe
1⤵
PID:2516
- C:\Users\Admin\AppData\Local\Temp\tmp240598218.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240598218.exe
  2⤵
  PID:2136
- C:\Users\Admin\AppData\Local\Temp\tmp240598250.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240598250.exe
  2⤵
  PID:3628

C:\Users\Admin\AppData\Local\Temp\tmp240598406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598406.exe
1⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\tmp240598578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598578.exe
1⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\tmp240598437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598437.exe
1⤵
PID:4632

C:\Users\Admin\AppData\Local\Temp\tmp240597343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597343.exe
1⤵
PID:4448

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\tmp240597140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597140.exe
1⤵
PID:3548

C:\Users\Admin\AppData\Local\Temp\tmp240597046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597046.exe
1⤵
PID:4372
- C:\Users\Admin\AppData\Local\Temp\tmp240614796.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240614796.exe
  2⤵
  PID:3564
- - C:\Users\Admin\AppData\Local\Temp\tmp240614828.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240614828.exe
    3⤵
    PID:4272
  - - C:\Users\Admin\AppData\Local\Temp\tmp240614890.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240614890.exe
      4⤵
      PID:2372
  - - C:\Users\Admin\AppData\Local\Temp\tmp240614906.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240614906.exe
      4⤵
      PID:3780
- - C:\Users\Admin\AppData\Local\Temp\tmp240614812.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240614812.exe
    3⤵
    PID:1796

C:\Users\Admin\AppData\Local\Temp\tmp240597031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597031.exe
1⤵
PID:456

C:\Users\Admin\AppData\Local\Temp\tmp240597000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597000.exe
1⤵
PID:2424

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:2556

C:\Users\Admin\AppData\Local\Temp\tmp240596859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240596859.exe
1⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\tmp240596796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240596796.exe
1⤵
PID:2540

C:\Users\Admin\AppData\Local\Temp\tmp240596781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240596781.exe
1⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\tmp240596687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240596687.exe
1⤵
PID:3492

C:\Users\Admin\AppData\Local\Temp\tmp240596078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240596078.exe
1⤵
PID:908
- C:\Users\Admin\AppData\Local\Temp\tmp240604828.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240604828.exe
  2⤵
  PID:3788
- C:\Users\Admin\AppData\Local\Temp\tmp240604812.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240604812.exe
  2⤵
  PID:4592
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:2064

C:\Users\Admin\AppData\Local\Temp\tmp240596046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240596046.exe
1⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\tmp240595578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240595578.exe
1⤵
PID:5088

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3056

C:\Users\Admin\AppData\Local\Temp\tmp240595375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240595375.exe
1⤵
PID:912

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3024
- C:\Users\Admin\AppData\Local\Temp\tmp240605031.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240605031.exe
  2⤵
  PID:2084
- - C:\Users\Admin\AppData\Local\Temp\tmp240605062.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240605062.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies registry class
    PID:1944
- - C:\Users\Admin\AppData\Local\Temp\tmp240605125.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240605125.exe
    3⤵
    PID:1772
- C:\Users\Admin\AppData\Local\Temp\tmp240605015.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240605015.exe
  2⤵
  PID:3308
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\tmp240605187.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240605187.exe
      4⤵
      PID:2352
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:4140
      - C:\Users\Admin\AppData\Local\Temp\tmp240605468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605468.exe
        6⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605734.exe
        8⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605765.exe
        9⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605796.exe
        9⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605718.exe
        8⤵
        
        PID:4748
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:1984
      - C:\Users\Admin\AppData\Local\Temp\tmp240605515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605515.exe
        6⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605593.exe
        7⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605546.exe
        7⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617625.exe
        8⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617578.exe
        8⤵
        
        PID:2356
  - - C:\Users\Admin\AppData\Local\Temp\tmp240605218.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240605218.exe
      4⤵
      PID:3132
    - - C:\Users\Admin\AppData\Local\Temp\tmp240605343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605343.exe
        5⤵
        
        PID:1792
    - - C:\Users\Admin\AppData\Local\Temp\tmp240605265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605265.exe
        5⤵
        
        PID:1204
      - C:\Users\Admin\AppData\Local\Temp\tmp240617453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617453.exe
        6⤵
        Executes dropped EXE
        
        PID:3132
      - C:\Users\Admin\AppData\Local\Temp\tmp240617500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617500.exe
        6⤵
        
        PID:4332

C:\Users\Admin\AppData\Local\Temp\tmp240606031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606031.exe
1⤵
PID:4464
- C:\Users\Admin\AppData\Local\Temp\tmp240639000.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240639000.exe
  2⤵
  PID:3068
- - C:\Users\Admin\AppData\Local\Temp\tmp240639062.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240639062.exe
    3⤵
    PID:2288
  - - C:\Users\Admin\AppData\Local\Temp\tmp240639125.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240639125.exe
      4⤵
      PID:4792
  - - C:\Users\Admin\AppData\Local\Temp\tmp240639093.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240639093.exe
      4⤵
      PID:3620
- - C:\Users\Admin\AppData\Local\Temp\tmp240639015.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240639015.exe
    3⤵
    PID:4448
- C:\Users\Admin\AppData\Local\Temp\tmp240638984.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240638984.exe
  2⤵
  PID:3820

C:\Users\Admin\AppData\Local\Temp\tmp240606187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606187.exe
1⤵
PID:3012
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:4280

C:\Users\Admin\AppData\Local\Temp\tmp240606312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606312.exe
1⤵
PID:3548

C:\Users\Admin\AppData\Local\Temp\tmp240606437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606437.exe
1⤵
PID:1020
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:3144
- - C:\Users\Admin\AppData\Local\Temp\tmp240639468.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240639468.exe
    3⤵
    PID:4908
  - - C:\Users\Admin\AppData\Local\Temp\tmp240639578.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240639578.exe
      4⤵
      PID:4580
  - - C:\Users\Admin\AppData\Local\Temp\tmp240639531.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240639531.exe
      4⤵
      PID:2316
- - C:\Users\Admin\AppData\Local\Temp\tmp240639359.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240639359.exe
    3⤵
    PID:1444

C:\Users\Admin\AppData\Local\Temp\tmp240606453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606453.exe
1⤵
PID:3892
- C:\Users\Admin\AppData\Local\Temp\tmp240606562.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240606562.exe
  2⤵
  PID:4892
- C:\Users\Admin\AppData\Local\Temp\tmp240606468.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240606468.exe
  2⤵
  PID:4500

C:\Users\Admin\AppData\Local\Temp\tmp240606687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606687.exe
1⤵
PID:1712

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:644
- C:\Users\Admin\AppData\Local\Temp\tmp240606859.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240606859.exe
  2⤵
  PID:1036
- - C:\Users\Admin\AppData\Local\Temp\tmp240606937.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240606937.exe
    3⤵
    PID:3860
- - C:\Users\Admin\AppData\Local\Temp\tmp240606890.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240606890.exe
    3⤵
    PID:844
- C:\Users\Admin\AppData\Local\Temp\tmp240606843.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240606843.exe
  2⤵
  PID:4532
- C:\Users\Admin\AppData\Local\Temp\tmp240639265.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240639265.exe
  2⤵
  PID:4924
- C:\Users\Admin\AppData\Local\Temp\tmp240639281.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240639281.exe
  2⤵
  PID:3144

C:\Users\Admin\AppData\Local\Temp\tmp240607062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607062.exe
1⤵
PID:1264
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:3844

C:\Users\Admin\AppData\Local\Temp\tmp240607156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607156.exe
1⤵
- Checks computer location settings
PID:3044
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:4404
- - C:\Users\Admin\AppData\Local\Temp\tmp240616484.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240616484.exe
    3⤵
    PID:4168
- - C:\Users\Admin\AppData\Local\Temp\tmp240616437.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240616437.exe
    3⤵
    PID:2364

C:\Users\Admin\AppData\Local\Temp\tmp240607281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607281.exe
1⤵
PID:1296
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4644

C:\Users\Admin\AppData\Local\Temp\tmp240607296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607296.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:216
- C:\Users\Admin\AppData\Local\Temp\tmp240607359.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240607359.exe
  2⤵
  PID:1056
- C:\Users\Admin\AppData\Local\Temp\tmp240607343.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240607343.exe
  2⤵
  PID:3572
- C:\Users\Admin\AppData\Local\Temp\tmp240616453.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240616453.exe
  2⤵
  PID:3612
- C:\Users\Admin\AppData\Local\Temp\tmp240616421.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240616421.exe
  2⤵
  PID:3872

C:\Users\Admin\AppData\Local\Temp\tmp240607937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607937.exe
1⤵
PID:4596

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:2872
- C:\Users\Admin\AppData\Local\Temp\tmp240608046.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240608046.exe
  2⤵
  PID:1112
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1088
- C:\Users\Admin\AppData\Local\Temp\tmp240608062.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240608062.exe
  2⤵
  PID:4132
- - C:\Users\Admin\AppData\Local\Temp\tmp240613765.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240613765.exe
    3⤵
    PID:3680
  - - C:\Users\Admin\AppData\Local\Temp\tmp240613937.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240613937.exe
      4⤵
      PID:3420
    - - C:\Users\Admin\AppData\Local\Temp\tmp240617234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617234.exe
        5⤵
        
        PID:2824
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:1204
    - - C:\Users\Admin\AppData\Local\Temp\tmp240617250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617250.exe
        5⤵
        
        PID:1340
  - - C:\Users\Admin\AppData\Local\Temp\tmp240617312.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240617312.exe
      4⤵
      PID:4232
    - - C:\Users\Admin\AppData\Local\Temp\tmp240617390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617390.exe
        5⤵
        
        PID:2064
      - C:\Users\Admin\AppData\Local\Temp\tmp240614234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614234.exe
        6⤵
        
        PID:1096
      - C:\Users\Admin\AppData\Local\Temp\tmp240614218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614218.exe
        6⤵
        
        PID:1748
    - - C:\Users\Admin\AppData\Local\Temp\tmp240617375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617375.exe
        5⤵
        
        PID:1092
  - - C:\Users\Admin\AppData\Local\Temp\tmp240617281.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240617281.exe
      4⤵
      PID:4356
- - C:\Users\Admin\AppData\Local\Temp\tmp240612578.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240612578.exe
    3⤵
    PID:4592

C:\Users\Admin\AppData\Local\Temp\tmp240607921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607921.exe
1⤵
PID:3136

C:\Users\Admin\AppData\Local\Temp\tmp240607109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607109.exe
1⤵
PID:2412
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:3748
- - C:\Users\Admin\AppData\Local\Temp\tmp240619109.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240619109.exe
    3⤵
    PID:1880
  - - C:\Users\Admin\AppData\Local\Temp\tmp240619328.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240619328.exe
      4⤵
      PID:2400
  - - C:\Users\Admin\AppData\Local\Temp\tmp240626984.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240626984.exe
      4⤵
      PID:4192
    - - C:\Users\Admin\AppData\Local\Temp\tmp240631578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631578.exe
        5⤵
        
        PID:932
    - - C:\Users\Admin\AppData\Local\Temp\tmp240631656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631656.exe
        5⤵
        
        PID:4180
      - C:\Users\Admin\AppData\Local\Temp\tmp240631906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631906.exe
        6⤵
        
        PID:5008
      - C:\Users\Admin\AppData\Local\Temp\tmp240631859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631859.exe
        6⤵
        
        PID:3308
- - C:\Users\Admin\AppData\Local\Temp\tmp240616390.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240616390.exe
    3⤵
    PID:216
- - C:\Users\Admin\AppData\Local\Temp\tmp240616375.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240616375.exe
    3⤵
    PID:1164

C:\Users\Admin\AppData\Local\Temp\tmp240607078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607078.exe
1⤵
PID:3424

C:\Users\Admin\AppData\Local\Temp\tmp240606671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606671.exe
1⤵
PID:848

C:\Users\Admin\AppData\Local\Temp\tmp240606656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606656.exe
1⤵
PID:3912
- C:\Users\Admin\AppData\Local\Temp\tmp240639656.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240639656.exe
  2⤵
  PID:3424
- - C:\Users\Admin\AppData\Local\Temp\tmp240639875.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240639875.exe
    3⤵
    PID:220
- - C:\Users\Admin\AppData\Local\Temp\tmp240639687.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240639687.exe
    3⤵
    PID:956
- C:\Users\Admin\AppData\Local\Temp\tmp240639515.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240639515.exe
  2⤵
  PID:3848

C:\Users\Admin\AppData\Local\Temp\tmp240606640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606640.exe
1⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\tmp240606265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606265.exe
1⤵
PID:2372

C:\Users\Admin\AppData\Local\Temp\tmp240606203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606203.exe
1⤵
PID:2796

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\tmp240606078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606078.exe
1⤵
PID:3852

C:\Users\Admin\AppData\Local\Temp\tmp240606015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606015.exe
1⤵
PID:3436
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1952

C:\Users\Admin\AppData\Local\Temp\tmp240606000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606000.exe
1⤵
PID:3068

C:\Users\Admin\AppData\Local\Temp\tmp240614296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614296.exe
1⤵
PID:2800
- C:\Users\Admin\AppData\Local\Temp\tmp240617515.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240617515.exe
  2⤵
  PID:4540
- C:\Users\Admin\AppData\Local\Temp\tmp240617546.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240617546.exe
  2⤵
  PID:3648
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1804

C:\Users\Admin\AppData\Local\Temp\tmp240614531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614531.exe
1⤵
PID:4700
- C:\Users\Admin\AppData\Local\Temp\tmp240614562.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240614562.exe
  2⤵
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\tmp240614640.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240614640.exe
    3⤵
    PID:2248
  - - C:\Users\Admin\AppData\Local\Temp\tmp240614687.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240614687.exe
      4⤵
      PID:3576
  - - C:\Users\Admin\AppData\Local\Temp\tmp240614703.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240614703.exe
      4⤵
      PID:1984
- - C:\Users\Admin\AppData\Local\Temp\tmp240614609.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240614609.exe
    3⤵
    PID:2328
- C:\Users\Admin\AppData\Local\Temp\tmp240617781.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240617781.exe
  2⤵
  PID:4372
- - C:\Users\Admin\AppData\Local\Temp\tmp240617906.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240617906.exe
    3⤵
    PID:3124
- - C:\Users\Admin\AppData\Local\Temp\tmp240617859.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240617859.exe
    3⤵
    PID:4772
- - C:\Users\Admin\AppData\Local\Temp\tmp240614781.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240614781.exe
    3⤵
    PID:1628
- C:\Users\Admin\AppData\Local\Temp\tmp240617703.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240617703.exe
  2⤵
  PID:968

C:\Users\Admin\AppData\Local\Temp\tmp240615000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615000.exe
1⤵
PID:3936
- C:\Users\Admin\AppData\Local\Temp\tmp240615046.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240615046.exe
  2⤵
  PID:4868
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:4844
  - - C:\Users\Admin\AppData\Local\Temp\tmp240615218.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240615218.exe
      4⤵
      PID:2020
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:3224
  - - C:\Users\Admin\AppData\Local\Temp\tmp240615796.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240615796.exe
      4⤵
      PID:4284
    - - C:\Users\Admin\AppData\Local\Temp\tmp240616015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616015.exe
        5⤵
        
        PID:1784
    - - C:\Users\Admin\AppData\Local\Temp\tmp240615875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615875.exe
        5⤵
        
        PID:2428
- C:\Users\Admin\AppData\Local\Temp\tmp240615078.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240615078.exe
  2⤵
  PID:4484
- - C:\Users\Admin\AppData\Local\Temp\tmp240615125.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240615125.exe
    3⤵
    PID:848
  - - C:\Users\Admin\AppData\Local\Temp\tmp240618531.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240618531.exe
      4⤵
      PID:2428
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:2696
  - - C:\Users\Admin\AppData\Local\Temp\tmp240618546.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240618546.exe
      4⤵
      PID:3928
- - C:\Users\Admin\AppData\Local\Temp\tmp240639343.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240639343.exe
    3⤵
    PID:2060
- - C:\Users\Admin\AppData\Local\Temp\tmp240639296.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240639296.exe
    3⤵
    PID:648
- C:\Users\Admin\AppData\Local\Temp\tmp240618312.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240618312.exe
  2⤵
  PID:4924
- C:\Users\Admin\AppData\Local\Temp\tmp240618250.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240618250.exe
  2⤵
  PID:4500

C:\Users\Admin\AppData\Local\Temp\tmp240615109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615109.exe
1⤵
PID:4508

C:\Users\Admin\AppData\Local\Temp\tmp240614984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614984.exe
1⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\tmp240614968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614968.exe
1⤵
PID:3620

C:\Users\Admin\AppData\Local\Temp\tmp240614953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614953.exe
1⤵
PID:3884

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3980

C:\Users\Admin\AppData\Local\Temp\tmp240616140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616140.exe
1⤵
PID:1036
- C:\Users\Admin\AppData\Local\Temp\tmp240616187.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240616187.exe
  2⤵
  PID:524
- C:\Users\Admin\AppData\Local\Temp\tmp240616171.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240616171.exe
  2⤵
  PID:2316

C:\Users\Admin\AppData\Local\Temp\tmp240616250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616250.exe
1⤵
PID:3060
- C:\Users\Admin\AppData\Local\Temp\tmp240616296.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240616296.exe
  2⤵
  PID:3748
- - C:\Users\Admin\AppData\Local\Temp\tmp240619031.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240619031.exe
    3⤵
    PID:4364

C:\Users\Admin\AppData\Local\Temp\tmp240616921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616921.exe
1⤵
PID:3796
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:3680
- - C:\Users\Admin\AppData\Local\Temp\tmp240613875.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240613875.exe
    3⤵
    PID:2440

C:\Users\Admin\AppData\Local\Temp\tmp240617000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617000.exe
1⤵
PID:2872

C:\Users\Admin\AppData\Local\Temp\tmp240617109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617109.exe
1⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\tmp240617156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617156.exe
1⤵
PID:2512

C:\Users\Admin\AppData\Local\Temp\tmp240617437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617437.exe
1⤵
PID:3492
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:4700
- - C:\Users\Admin\AppData\Local\Temp\tmp240614546.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240614546.exe
    3⤵
    PID:2332

C:\Users\Admin\AppData\Local\Temp\tmp240617718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617718.exe
1⤵
PID:1432
- C:\Users\Admin\AppData\Local\Temp\tmp240617812.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240617812.exe
  2⤵
  PID:4204
- C:\Users\Admin\AppData\Local\Temp\tmp240617765.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240617765.exe
  2⤵
  PID:1292
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:4372
- C:\Users\Admin\AppData\Local\Temp\tmp240638843.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240638843.exe
  2⤵
  PID:2008
- C:\Users\Admin\AppData\Local\Temp\tmp240638875.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240638875.exe
  2⤵
  PID:1776

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3096
- C:\Users\Admin\AppData\Local\Temp\tmp240618062.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240618062.exe
  2⤵
  PID:3588
- C:\Users\Admin\AppData\Local\Temp\tmp240617953.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240617953.exe
  2⤵
  PID:3852

C:\Users\Admin\AppData\Local\Temp\tmp240618046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618046.exe
1⤵
PID:4792
- C:\Users\Admin\AppData\Local\Temp\tmp240618125.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240618125.exe
  2⤵
  PID:3080
- C:\Users\Admin\AppData\Local\Temp\tmp240618187.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240618187.exe
  2⤵
  PID:1408

C:\Users\Admin\AppData\Local\Temp\tmp240618156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618156.exe
1⤵
PID:2796

C:\Users\Admin\AppData\Local\Temp\tmp240618390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618390.exe
1⤵
PID:2224

C:\Users\Admin\AppData\Local\Temp\tmp240618859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618859.exe
1⤵
PID:2240
- C:\Users\Admin\AppData\Local\Temp\tmp240619046.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240619046.exe
  2⤵
  PID:212
- - C:\Users\Admin\AppData\Local\Temp\tmp240619281.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240619281.exe
    3⤵
    PID:1664
  - - C:\Users\Admin\AppData\Local\Temp\tmp240619359.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240619359.exe
      4⤵
      Executes dropped EXE
      PID:1016
  - - C:\Users\Admin\AppData\Local\Temp\tmp240627046.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240627046.exe
      4⤵
      PID:5076
- - C:\Users\Admin\AppData\Local\Temp\tmp240619093.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240619093.exe
    3⤵
    PID:3180
- C:\Users\Admin\AppData\Local\Temp\tmp240618921.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240618921.exe
  2⤵
  PID:1296
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:3316
  - - C:\Users\Admin\AppData\Local\Temp\tmp240619421.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240619421.exe
      4⤵
      PID:5064
  - - C:\Users\Admin\AppData\Local\Temp\tmp240627000.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240627000.exe
      4⤵
      PID:3932

C:\Users\Admin\AppData\Local\Temp\tmp240618828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618828.exe
1⤵
PID:3060
- C:\Users\Admin\AppData\Local\Temp\tmp240616281.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240616281.exe
  2⤵
  PID:2880

C:\Users\Admin\AppData\Local\Temp\tmp240618421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618421.exe
1⤵
PID:848
- C:\Users\Admin\AppData\Local\Temp\tmp240616000.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240616000.exe
  2⤵
  PID:5116
- C:\Users\Admin\AppData\Local\Temp\tmp240615812.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240615812.exe
  2⤵
  PID:2140

C:\Users\Admin\AppData\Local\Temp\tmp240618375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618375.exe
1⤵
PID:4844

C:\Users\Admin\AppData\Local\Temp\tmp240618359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618359.exe
1⤵
PID:3636

C:\Users\Admin\AppData\Local\Temp\tmp240618203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618203.exe
1⤵
PID:3936

C:\Users\Admin\AppData\Local\Temp\tmp240617968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617968.exe
1⤵
PID:3436
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:3976
- - C:\Users\Admin\AppData\Local\Temp\tmp240639640.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240639640.exe
    3⤵
    PID:3572
  - - C:\Users\Admin\AppData\Local\Temp\tmp240639968.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240639968.exe
      4⤵
      PID:2564
  - - C:\Users\Admin\AppData\Local\Temp\tmp240639921.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240639921.exe
      4⤵
      PID:440
- - C:\Users\Admin\AppData\Local\Temp\tmp240639593.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240639593.exe
    3⤵
    PID:3224

C:\Users\Admin\AppData\Local\Temp\tmp240617687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617687.exe
1⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\tmp240617484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617484.exe
1⤵
PID:2800
- C:\Users\Admin\AppData\Local\Temp\tmp240614359.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240614359.exe
  2⤵
  PID:4216
- C:\Users\Admin\AppData\Local\Temp\tmp240614343.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240614343.exe
  2⤵
  PID:4300

C:\Users\Admin\AppData\Local\Temp\tmp240617171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617171.exe
1⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\tmp240617125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617125.exe
1⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\tmp240617046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617046.exe
1⤵
PID:3916

C:\Users\Admin\AppData\Local\Temp\tmp240616984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616984.exe
1⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\tmp240616781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616781.exe
1⤵
PID:5076

C:\Users\Admin\AppData\Local\Temp\tmp240616750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616750.exe
1⤵
PID:3744

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1016

C:\Users\Admin\AppData\Local\Temp\tmp240616578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616578.exe
1⤵
PID:2804

C:\Users\Admin\AppData\Local\Temp\tmp240616546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616546.exe
1⤵
PID:2252

C:\Users\Admin\AppData\Local\Temp\tmp240616234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616234.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3044

C:\Users\Admin\AppData\Local\Temp\tmp240614515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614515.exe
1⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\tmp240614281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614281.exe
1⤵
PID:3648

C:\Users\Admin\AppData\Local\Temp\tmp240632031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632031.exe
1⤵
PID:4232
- C:\Users\Admin\AppData\Local\Temp\tmp240635593.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240635593.exe
  2⤵
  PID:4128
- - C:\Users\Admin\AppData\Local\Temp\tmp240638343.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240638343.exe
    3⤵
    PID:3332
  - - C:\Users\Admin\AppData\Local\Temp\tmp240674171.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240674171.exe
      4⤵
      PID:2188
- - C:\Users\Admin\AppData\Local\Temp\tmp240638671.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240638671.exe
    3⤵
    PID:1496
- C:\Users\Admin\AppData\Local\Temp\tmp240632156.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240632156.exe
  2⤵
  PID:2800
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:4008

C:\Users\Admin\AppData\Local\Temp\tmp240632015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632015.exe
1⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\tmp240632062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240632062.exe
1⤵
PID:1304

C:\Users\Admin\AppData\Local\Temp\tmp240631937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240631937.exe
1⤵
PID:2084

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3892
- C:\Users\Admin\AppData\Local\Temp\tmp240639250.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240639250.exe
  2⤵
  PID:4484
- C:\Users\Admin\AppData\Local\Temp\tmp240639234.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240639234.exe
  2⤵
  PID:3436

C:\Users\Admin\AppData\Local\Temp\tmp240639203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639203.exe
1⤵
PID:3548

C:\Users\Admin\AppData\Local\Temp\tmp240639406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639406.exe
1⤵
PID:916

C:\Users\Admin\AppData\Local\Temp\tmp240639625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639625.exe
1⤵
PID:4632
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:4296
- - C:\Users\Admin\AppData\Local\Temp\tmp240640578.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240640578.exe
    3⤵
    PID:4072
- - C:\Users\Admin\AppData\Local\Temp\tmp240644953.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240644953.exe
    3⤵
    PID:4764
  - - C:\Users\Admin\AppData\Local\Temp\tmp240647218.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240647218.exe
      4⤵
      PID:3168
  - - C:\Users\Admin\AppData\Local\Temp\tmp240648906.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240648906.exe
      4⤵
      PID:3948
    - - C:\Users\Admin\AppData\Local\Temp\tmp240650312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650312.exe
        5⤵
        
        PID:892
    - - C:\Users\Admin\AppData\Local\Temp\tmp240652250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652250.exe
        5⤵
        
        PID:744
      - C:\Users\Admin\AppData\Local\Temp\tmp240652343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652343.exe
        6⤵
        
        PID:3932
      - C:\Users\Admin\AppData\Local\Temp\tmp240653531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653531.exe
        6⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661171.exe
        7⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664343.exe
        7⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666015.exe
        8⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675796.exe
        10⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676171.exe
        12⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681140.exe
        14⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684609.exe
        16⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686906.exe
        16⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688562.exe
        17⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690031.exe
        17⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693859.exe
        18⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698656.exe
        18⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705500.exe
        19⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705640.exe
        20⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708140.exe
        20⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712843.exe
        21⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704718.exe
        19⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684390.exe
        14⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687000.exe
        15⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688546.exe
        15⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692937.exe
        16⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698718.exe
        16⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704687.exe
        17⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708093.exe
        17⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712687.exe
        18⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678000.exe
        12⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681015.exe
        13⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683250.exe
        13⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686921.exe
        14⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688671.exe
        16⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692906.exe
        16⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698781.exe
        17⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708125.exe
        17⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712765.exe
        18⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688500.exe
        14⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690015.exe
        15⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698859.exe
        17⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701421.exe
        17⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704796.exe
        18⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708031.exe
        18⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712890.exe
        19⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696156.exe
        15⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704781.exe
        16⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707984.exe
        16⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708406.exe
        17⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675984.exe
        10⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679671.exe
        11⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681000.exe
        11⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683296.exe
        12⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685437.exe
        12⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688468.exe
        13⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689984.exe
        14⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692875.exe
        14⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696250.exe
        15⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708187.exe
        17⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701218.exe
        15⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705625.exe
        16⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708203.exe
        16⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670859.exe
        8⤵
        
        PID:4128

C:\Users\Admin\AppData\Local\Temp\tmp240639953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639953.exe
1⤵
PID:1448

C:\Users\Admin\AppData\Local\Temp\tmp240640125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640125.exe
1⤵
PID:1536
- C:\Users\Admin\AppData\Local\Temp\tmp240640187.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240640187.exe
  2⤵
  PID:1668
- - C:\Users\Admin\AppData\Local\Temp\tmp240640218.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240640218.exe
    3⤵
    PID:1160
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:3380
    - - C:\Users\Admin\AppData\Local\Temp\tmp240649031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649031.exe
        5⤵
        
        PID:384
      - C:\Users\Admin\AppData\Local\Temp\tmp240650343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650343.exe
        6⤵
        
        PID:4808
      - C:\Users\Admin\AppData\Local\Temp\tmp240652265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652265.exe
        6⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653437.exe
        7⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653562.exe
        7⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665937.exe
        8⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666046.exe
        9⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672656.exe
        9⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674203.exe
        10⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661187.exe
        8⤵
        
        PID:4160
- - C:\Users\Admin\AppData\Local\Temp\tmp240640562.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240640562.exe
    3⤵
    PID:2432
  - - C:\Users\Admin\AppData\Local\Temp\tmp240647171.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240647171.exe
      4⤵
      PID:3336
  - - C:\Users\Admin\AppData\Local\Temp\tmp240644968.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240644968.exe
      4⤵
      PID:5088
- C:\Users\Admin\AppData\Local\Temp\tmp240640171.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240640171.exe
  2⤵
  PID:1216

C:\Users\Admin\AppData\Local\Temp\tmp240640093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240640093.exe
1⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\tmp240639984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639984.exe
1⤵
PID:3612

C:\Users\Admin\AppData\Local\Temp\tmp240639718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639718.exe
1⤵
PID:4200

C:\Users\Admin\AppData\Local\Temp\tmp240639437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639437.exe
1⤵
PID:3912

C:\Users\Admin\AppData\Local\Temp\tmp240639218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639218.exe
1⤵
PID:644

C:\Users\Admin\AppData\Local\Temp\tmp240639171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639171.exe
1⤵
PID:4048

C:\Users\Admin\AppData\Local\Temp\tmp240639031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240639031.exe
1⤵
PID:4732

C:\Users\Admin\AppData\Local\Temp\tmp240688406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240688406.exe
1⤵
PID:4636

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240567265.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240567265.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240567328.exe

Filesize
4.8MB

MD5
f69dacdfe80a5610b82c4d833f4d3fb3

SHA1
b06213068399f4132961e3944f037f960db03cb2

SHA256
585760592139dc19a55b690cd361b07ec9d353a6df7cd658e591f2ef4e939478

SHA512
889288449bbd9af939a4c9a2bf91fc4826b263c50e92f1af0c39032ca54bc5a07a8fd6923957ddf074751ac11c6badd319daffcc4a5476f4c1f877394dfc6ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240567328.exe

Filesize
4.8MB

MD5
f69dacdfe80a5610b82c4d833f4d3fb3

SHA1
b06213068399f4132961e3944f037f960db03cb2

SHA256
585760592139dc19a55b690cd361b07ec9d353a6df7cd658e591f2ef4e939478

SHA512
889288449bbd9af939a4c9a2bf91fc4826b263c50e92f1af0c39032ca54bc5a07a8fd6923957ddf074751ac11c6badd319daffcc4a5476f4c1f877394dfc6ee9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568468.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568468.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568968.exe

Filesize
4.3MB

MD5
c96ae5695ec1c1b79a0f74308f74653c

SHA1
88ff4bdb12593e34a3f2e567f758a0a9c99d342d

SHA256
b5fcf703bcef1f3f5c8e4d8a53f7ae3356527db40a645aff24fe9cd12d7ce405

SHA512
bc3c6cbc2b3b9dcd802e51d9ab19ede105c27bac5d1a0b58fb79241c1f676e2067b9b398ce14cf621724d8555c261d650a73b8da2993860fa4f454b4170668bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568968.exe

Filesize
4.3MB

MD5
c96ae5695ec1c1b79a0f74308f74653c

SHA1
88ff4bdb12593e34a3f2e567f758a0a9c99d342d

SHA256
b5fcf703bcef1f3f5c8e4d8a53f7ae3356527db40a645aff24fe9cd12d7ce405

SHA512
bc3c6cbc2b3b9dcd802e51d9ab19ede105c27bac5d1a0b58fb79241c1f676e2067b9b398ce14cf621724d8555c261d650a73b8da2993860fa4f454b4170668bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240570000.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240570000.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240572109.exe

Filesize
3.8MB

MD5
4c6592d0bdd311b3b4e5dedb5b870db0

SHA1
901e60916b83383c15b64aff5dff9693b3b94a90

SHA256
68c8dd8b3f27f37427cd775e8a1e58f82f4ae9b3300b3b8cbfaf232da398cb0f

SHA512
1dc0bfdbc43597c2b16c14c15a673384764352a467e7066b6848e82bea7f275490ccd17c250fedb4252f0b8ce49fc89873006b4449d8a97b577273a0026eea6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240572109.exe

Filesize
3.8MB

MD5
4c6592d0bdd311b3b4e5dedb5b870db0

SHA1
901e60916b83383c15b64aff5dff9693b3b94a90

SHA256
68c8dd8b3f27f37427cd775e8a1e58f82f4ae9b3300b3b8cbfaf232da398cb0f

SHA512
1dc0bfdbc43597c2b16c14c15a673384764352a467e7066b6848e82bea7f275490ccd17c250fedb4252f0b8ce49fc89873006b4449d8a97b577273a0026eea6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240572375.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240572375.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240572421.exe

Filesize
3.4MB

MD5
29234b186cb0f2d9c38d074166b5bfcd

SHA1
1d99d34433812bcc89c5e2a000c41df81392edb6

SHA256
f5c44ac25a5ffb48e76fe0a8287656d25a0b3ba3c66a6fddd1ee5eb659daf415

SHA512
9c188290aae0b0a4892f2f203784ee9e2c9075d2c735499d0754317553b74fa568c35b3f354d6a8dd120108838f70abc6040498bc058f5073cccbce2379e1ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240572421.exe

Filesize
3.4MB

MD5
29234b186cb0f2d9c38d074166b5bfcd

SHA1
1d99d34433812bcc89c5e2a000c41df81392edb6

SHA256
f5c44ac25a5ffb48e76fe0a8287656d25a0b3ba3c66a6fddd1ee5eb659daf415

SHA512
9c188290aae0b0a4892f2f203784ee9e2c9075d2c735499d0754317553b74fa568c35b3f354d6a8dd120108838f70abc6040498bc058f5073cccbce2379e1ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240572531.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240572531.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240572562.exe

Filesize
2.9MB

MD5
7fa01f466b5c647ae60b5165c6f329e5

SHA1
8f9cdfafb1aa3fdb146aff7db74557594d21a5fe

SHA256
30f102214f06259f236652572da0aa287950ea45dd08b3844c824a2946b9b3bb

SHA512
5efa6cf84bbd62a736f59c0540a7980236c64162b64431f2b04bcaf0103b91cee88832369825539245c93e341e6f6af3a5bea16f5bf07a62fac2785e872e7563

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240572562.exe

Filesize
2.9MB

MD5
7fa01f466b5c647ae60b5165c6f329e5

SHA1
8f9cdfafb1aa3fdb146aff7db74557594d21a5fe

SHA256
30f102214f06259f236652572da0aa287950ea45dd08b3844c824a2946b9b3bb

SHA512
5efa6cf84bbd62a736f59c0540a7980236c64162b64431f2b04bcaf0103b91cee88832369825539245c93e341e6f6af3a5bea16f5bf07a62fac2785e872e7563

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240572640.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240572640.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240572796.exe

Filesize
2.4MB

MD5
93afedab0e591b65295b0e64081f4592

SHA1
d15fa88199f8fd597eb3927173d8f8f4d8afd590

SHA256
e18a003a7a5684b39bcd27b93489decfe86954a1f8faba06a398e6d38935ff63

SHA512
6c3e3bdb4d87637854796215361e1d417c1532d0b62a3d0a14e233f01cde1420ccf800daf7cf05c35d937d8a981740dd93bdd45ca0b6dbbbdeb9122f0d82e7e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240572796.exe

Filesize
2.4MB

MD5
93afedab0e591b65295b0e64081f4592

SHA1
d15fa88199f8fd597eb3927173d8f8f4d8afd590

SHA256
e18a003a7a5684b39bcd27b93489decfe86954a1f8faba06a398e6d38935ff63

SHA512
6c3e3bdb4d87637854796215361e1d417c1532d0b62a3d0a14e233f01cde1420ccf800daf7cf05c35d937d8a981740dd93bdd45ca0b6dbbbdeb9122f0d82e7e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240573109.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240573109.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240573125.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240573125.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240573218.exe

Filesize
2.0MB

MD5
c0bf6c45f4d8963f7e68324f16afff06

SHA1
bcb7cea578712e59ed9a069f9e486ee13d868038

SHA256
0d91305dd2b88da1d05fdf3765c399b2169d12272fbe5c27418c7621ccb99dc4

SHA512
4fd73970307b47ca554bb572b61076ef51e791edf29409fc35e6185b32a370d63f353bec081488aa0fd7c826aea3edd557b6e9c8f9d956bcc623073c4321c4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240573218.exe

Filesize
2.0MB

MD5
c0bf6c45f4d8963f7e68324f16afff06

SHA1
bcb7cea578712e59ed9a069f9e486ee13d868038

SHA256
0d91305dd2b88da1d05fdf3765c399b2169d12272fbe5c27418c7621ccb99dc4

SHA512
4fd73970307b47ca554bb572b61076ef51e791edf29409fc35e6185b32a370d63f353bec081488aa0fd7c826aea3edd557b6e9c8f9d956bcc623073c4321c4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240573250.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240573500.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240573500.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240573687.exe

Filesize
1.5MB

MD5
79b015f988114d130317226777a10990

SHA1
c628c74bdc5cd77ead1f89e2f0ccaf116d21c960

SHA256
b54b09ca3c7587ff82101d4581ae19b7c12209315017d40b562e88257fc5193d

SHA512
6242a43bd29eea526ca225189b2bb59d6041bccc7a77c9fd7b3b9e7cfb53aae84237d3d9916882a9ba0a4cd697cb5a44354782571c323bec78df5d573ce39887

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240573687.exe

Filesize
1.5MB

MD5
79b015f988114d130317226777a10990

SHA1
c628c74bdc5cd77ead1f89e2f0ccaf116d21c960

SHA256
b54b09ca3c7587ff82101d4581ae19b7c12209315017d40b562e88257fc5193d

SHA512
6242a43bd29eea526ca225189b2bb59d6041bccc7a77c9fd7b3b9e7cfb53aae84237d3d9916882a9ba0a4cd697cb5a44354782571c323bec78df5d573ce39887

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240573843.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240573843.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240573968.exe

Filesize
1.1MB

MD5
21e241d111e4287c7a36110ceb903e1f

SHA1
a7d14752458f4e29d0e4e32e5f1ce273afb6b824

SHA256
1098ab286f7e9a0a8cd2d2e263450e6acbfa53976e0a84c82ed819af17226e50

SHA512
2df328ebfa3ce89ff92002ac326cef533c3a46e906b3a16ceeaa4c8df31dd34787f95bf7b48018e294408058a666a8fd8f003780e48e6a065aed853c5ef52310

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240573968.exe

Filesize
1.1MB

MD5
21e241d111e4287c7a36110ceb903e1f

SHA1
a7d14752458f4e29d0e4e32e5f1ce273afb6b824

SHA256
1098ab286f7e9a0a8cd2d2e263450e6acbfa53976e0a84c82ed819af17226e50

SHA512
2df328ebfa3ce89ff92002ac326cef533c3a46e906b3a16ceeaa4c8df31dd34787f95bf7b48018e294408058a666a8fd8f003780e48e6a065aed853c5ef52310

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240574156.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240574156.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240574203.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240574203.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240574250.exe

Filesize
635KB

MD5
69fff2dca5ae9d534236f9ea5d8dbcb8

SHA1
cfd6661dcfbb454e5ee0d9cc82a6fbf9fb5743ce

SHA256
213db224153a93faff4e56b0139a6c421dd3a69e3b006be9084b2acca316e99c

SHA512
921a3a21fa50d29c7a4e42bab6255da754d9058e7ae66e187e53dbafe575c7c5450a5626b0cb7c9efaabc56d986d1fd691d9ab83c6bc080094bda53db76f068e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240574250.exe

Filesize
635KB

MD5
69fff2dca5ae9d534236f9ea5d8dbcb8

SHA1
cfd6661dcfbb454e5ee0d9cc82a6fbf9fb5743ce

SHA256
213db224153a93faff4e56b0139a6c421dd3a69e3b006be9084b2acca316e99c

SHA512
921a3a21fa50d29c7a4e42bab6255da754d9058e7ae66e187e53dbafe575c7c5450a5626b0cb7c9efaabc56d986d1fd691d9ab83c6bc080094bda53db76f068e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240574421.exe

Filesize
609KB

MD5
532961410f1d49938f254c0059b02fc5

SHA1
a2b87e90a510c3dea9f69367f740a824b6173df1

SHA256
0bf25c5bfb9d78d8dad01afe3154346f0736851bdcbbdb19c2f09ce515168b2d

SHA512
a99920efbcbb27ea8c7010d0b4e3ec0b06a8eee5844ebef7c1cf3abd2a07eebb3b22b94aedf7a81a041f8a194ab5e876904c8da93966e62d09b5029f204c1597

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240574421.exe

Filesize
609KB

MD5
532961410f1d49938f254c0059b02fc5

SHA1
a2b87e90a510c3dea9f69367f740a824b6173df1

SHA256
0bf25c5bfb9d78d8dad01afe3154346f0736851bdcbbdb19c2f09ce515168b2d

SHA512
a99920efbcbb27ea8c7010d0b4e3ec0b06a8eee5844ebef7c1cf3abd2a07eebb3b22b94aedf7a81a041f8a194ab5e876904c8da93966e62d09b5029f204c1597

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240575390.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240575390.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240575500.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240575500.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240575656.exe

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
462KB

MD5
ea72c06249d31101dbd16471e53c82ce

SHA1
6d0e8409f1a7abdd1c28182b994b15153fbb0172

SHA256
5ee0904c41ebfd4d7e7413a653c0d3c1cca020241bce76a6b46b7af92b26de5c

SHA512
7ee1b965f3ce8f7e52eb217332ee026b4258bf999bcc3c6bf2efe9cfe1b12f70b0864590d2dbe77f8aca0606a87990338a9df896641c15f4b0b867f3e60d8e0c

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.1MB

MD5
05db25845a67d021d9d48deeb4cbd203

SHA1
eaca2b81b3dd495ba445bf3cb5e91d164f783a0a

SHA256
a1dd3fabef2072e4c1a2a29b0ab24151b8de6f26f788f0b55ca81eb21f30c68f

SHA512
9132e8a1c0901dca6fee2ac0b688d1967298c34dceb7069d2428b0ac2b74e7ad619e2846ea5960039c64881cc542c83960f5240166e8a88809885a7604f22ca8

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.1MB

MD5
05db25845a67d021d9d48deeb4cbd203

SHA1
eaca2b81b3dd495ba445bf3cb5e91d164f783a0a

SHA256
a1dd3fabef2072e4c1a2a29b0ab24151b8de6f26f788f0b55ca81eb21f30c68f

SHA512
9132e8a1c0901dca6fee2ac0b688d1967298c34dceb7069d2428b0ac2b74e7ad619e2846ea5960039c64881cc542c83960f5240166e8a88809885a7604f22ca8

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.1MB

MD5
05db25845a67d021d9d48deeb4cbd203

SHA1
eaca2b81b3dd495ba445bf3cb5e91d164f783a0a

SHA256
a1dd3fabef2072e4c1a2a29b0ab24151b8de6f26f788f0b55ca81eb21f30c68f

SHA512
9132e8a1c0901dca6fee2ac0b688d1967298c34dceb7069d2428b0ac2b74e7ad619e2846ea5960039c64881cc542c83960f5240166e8a88809885a7604f22ca8

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.1MB

MD5
05db25845a67d021d9d48deeb4cbd203

SHA1
eaca2b81b3dd495ba445bf3cb5e91d164f783a0a

SHA256
a1dd3fabef2072e4c1a2a29b0ab24151b8de6f26f788f0b55ca81eb21f30c68f

SHA512
9132e8a1c0901dca6fee2ac0b688d1967298c34dceb7069d2428b0ac2b74e7ad619e2846ea5960039c64881cc542c83960f5240166e8a88809885a7604f22ca8

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
635KB

MD5
69fff2dca5ae9d534236f9ea5d8dbcb8

SHA1
cfd6661dcfbb454e5ee0d9cc82a6fbf9fb5743ce

SHA256
213db224153a93faff4e56b0139a6c421dd3a69e3b006be9084b2acca316e99c

SHA512
921a3a21fa50d29c7a4e42bab6255da754d9058e7ae66e187e53dbafe575c7c5450a5626b0cb7c9efaabc56d986d1fd691d9ab83c6bc080094bda53db76f068e

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
635KB

MD5
69fff2dca5ae9d534236f9ea5d8dbcb8

SHA1
cfd6661dcfbb454e5ee0d9cc82a6fbf9fb5743ce

SHA256
213db224153a93faff4e56b0139a6c421dd3a69e3b006be9084b2acca316e99c

SHA512
921a3a21fa50d29c7a4e42bab6255da754d9058e7ae66e187e53dbafe575c7c5450a5626b0cb7c9efaabc56d986d1fd691d9ab83c6bc080094bda53db76f068e

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
memory/216-179-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/216-166-0x0000000000000000-mapping.dmp

Download
memory/224-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/400-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/400-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/424-187-0x0000000000000000-mapping.dmp

Download
memory/424-203-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/456-255-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/456-254-0x0000000000000000-mapping.dmp

Download
memory/456-271-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/524-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/524-293-0x0000000000000000-mapping.dmp

Download
memory/524-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/544-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/756-256-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/756-250-0x0000000000000000-mapping.dmp

Download
memory/848-139-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/848-135-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1016-181-0x0000000000000000-mapping.dmp

Download
memory/1196-240-0x0000000000000000-mapping.dmp

Download
memory/1228-227-0x0000000000000000-mapping.dmp

Download
memory/1228-252-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1228-236-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1312-295-0x0000000000000000-mapping.dmp

Download
memory/1376-251-0x0000000000000000-mapping.dmp

Download
memory/1404-214-0x0000000000000000-mapping.dmp

Download
memory/1432-259-0x0000000000000000-mapping.dmp

Download
memory/1448-305-0x0000000000000000-mapping.dmp

Download
memory/1456-136-0x0000000000000000-mapping.dmp

Download
memory/1456-143-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1456-147-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1800-257-0x0000000000000000-mapping.dmp

Download
memory/1832-260-0x0000000000000000-mapping.dmp

Download
memory/1832-275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1876-301-0x0000000000000000-mapping.dmp

Download
memory/1944-237-0x0000000000000000-mapping.dmp

Download
memory/2136-163-0x0000000000000000-mapping.dmp

Download
memory/2136-303-0x0000000000000000-mapping.dmp

Download
memory/2208-302-0x0000000000000000-mapping.dmp

Download
memory/2208-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2236-281-0x0000000000000000-mapping.dmp

Download
memory/2332-266-0x0000000000000000-mapping.dmp

Download
memory/2440-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2656-248-0x0000000000000000-mapping.dmp

Download
memory/2680-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2680-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2696-170-0x0000000000000000-mapping.dmp

Download
memory/2780-264-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2780-245-0x0000000000000000-mapping.dmp

Download
memory/2780-247-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2804-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2804-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2848-274-0x0000000000000000-mapping.dmp

Download
memory/2880-159-0x0000000000000000-mapping.dmp

Download
memory/2880-169-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2912-270-0x0000000000000000-mapping.dmp

Download
memory/3024-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3044-132-0x0000000000000000-mapping.dmp

Download
memory/3056-200-0x0000000000000000-mapping.dmp

Download
memory/3056-213-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3056-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3132-253-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3132-234-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3132-219-0x0000000000000000-mapping.dmp

Download
memory/3220-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3324-300-0x0000000000000000-mapping.dmp

Download
memory/3440-262-0x0000000000000000-mapping.dmp

Download
memory/3592-156-0x0000000000000000-mapping.dmp

Download
memory/3620-280-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3620-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3620-268-0x0000000000000000-mapping.dmp

Download
memory/3852-272-0x0000000000000000-mapping.dmp

Download
memory/3860-162-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3860-152-0x0000000000000000-mapping.dmp

Download
memory/3924-291-0x0000000000000000-mapping.dmp

Download
memory/3928-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3928-290-0x0000000000000000-mapping.dmp

Download
memory/3928-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3932-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3996-149-0x0000000000000000-mapping.dmp

Download
memory/4056-195-0x0000000000000000-mapping.dmp

Download
memory/4060-285-0x0000000000000000-mapping.dmp

Download
memory/4060-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4060-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4128-269-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4128-258-0x0000000000000000-mapping.dmp

Download
memory/4136-180-0x0000000000000000-mapping.dmp

Download
memory/4152-232-0x0000000000000000-mapping.dmp

Download
memory/4152-235-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4152-265-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4156-287-0x0000000000000000-mapping.dmp

Download
memory/4172-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4172-283-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4172-282-0x0000000000000000-mapping.dmp

Download
memory/4180-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4244-228-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4244-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4244-207-0x0000000000000000-mapping.dmp

Download
memory/4244-221-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4308-189-0x0000000000000000-mapping.dmp

Download
memory/4348-204-0x0000000000000000-mapping.dmp

Download
memory/4368-263-0x0000000000000000-mapping.dmp

Download
memory/4372-273-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4372-261-0x0000000000000000-mapping.dmp

Download
memory/4396-220-0x0000000000000000-mapping.dmp

Download
memory/4464-267-0x0000000000000000-mapping.dmp

Download
memory/4532-140-0x0000000000000000-mapping.dmp

Download
memory/4532-294-0x0000000000000000-mapping.dmp

Download
memory/4536-173-0x0000000000000000-mapping.dmp

Download
memory/4536-186-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4536-192-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4620-286-0x0000000000000000-mapping.dmp

Download
memory/4644-188-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4644-174-0x0000000000000000-mapping.dmp

Download
memory/4644-194-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5012-154-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5012-148-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5012-144-0x0000000000000000-mapping.dmp

Download
memory/5044-208-0x0000000000000000-mapping.dmp

Download
memory/5044-231-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5044-226-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5056-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5096-284-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5096-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5096-279-0x0000000000000000-mapping.dmp

Download
memory/5100-278-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5100-277-0x0000000000000000-mapping.dmp

Download
memory/5100-288-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download