d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

Analysis

max time kernel
182s
max time network
187s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034.exe
Size

290KB
MD5

2f5028a3c344d1a7cb45563e7641bb30
SHA1

8e4b97268082a2d4d3af1b6d875c86e44c041842
SHA256

d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034
SHA512

0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f
SSDEEP

6144:EXhCRhrDPoPFXhCRhrDPaNSDyDIkFthp:vR9PoP2R9PCSDyTFtj

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
4120	notpad.exe
1300	tmp240586796.exe
4344	notpad.exe
1444	tmp240586890.exe
1888	tmp240587046.exe
4660	tmp240587468.exe
4232	notpad.exe
4200	tmp240587656.exe
2840	tmp240587734.exe
2804	notpad.exe
1776	tmp240587890.exe
4608	tmp240587968.exe
3836	notpad.exe
2280	tmp240588171.exe
312	tmp240588203.exe
4628	notpad.exe
1652	tmp240588390.exe
1120	tmp240588468.exe
4236	notpad.exe
4368	tmp240588656.exe
1064	tmp240588718.exe
3512	notpad.exe
4268	tmp240588828.exe
3724	tmp240588875.exe
1584	notpad.exe
3516	tmp240589031.exe
4680	tmp240589218.exe
2236	notpad.exe
3200	tmp240589359.exe
3668	tmp240589390.exe
4152	notpad.exe
2828	tmp240589640.exe
4208	tmp240589671.exe
1324	notpad.exe
1612	tmp240589843.exe
3912	notpad.exe
1116	tmp240613515.exe
1748	tmp240620671.exe
3896	tmp240626281.exe
3732	notpad.exe
2684	tmp240626703.exe
4160	notpad.exe
4148	tmp240627671.exe
1044	tmp240627890.exe
2628	notpad.exe
1564	tmp240628203.exe
4132	tmp240628359.exe
1176	notpad.exe
1732	tmp240628734.exe
1436	tmp240628890.exe
1372	tmp240629203.exe
1420	notpad.exe
688	tmp240630765.exe
4344	tmp240630953.exe
3192	notpad.exe
5012	tmp240631187.exe
2388	tmp240631359.exe
208	notpad.exe
4140	tmp240631593.exe
5016	tmp240631828.exe
5044	notpad.exe
3616	tmp240635921.exe
3592	tmp240648250.exe
3836	notpad.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000022e5a-133.dat	upx
behavioral2/files/0x0007000000022e5a-134.dat	upx
behavioral2/files/0x0007000000022e54-138.dat	upx
behavioral2/files/0x0007000000022e5a-141.dat	upx
behavioral2/memory/4120-144-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4344-145-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4344-153-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e5a-155.dat	upx
behavioral2/memory/4232-163-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e5a-165.dat	upx
behavioral2/memory/2804-173-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e5a-175.dat	upx
behavioral2/memory/3836-183-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e5a-185.dat	upx
behavioral2/files/0x0007000000022e5a-196.dat	upx
behavioral2/files/0x0007000000022e5a-206.dat	upx
behavioral2/memory/3512-214-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e5a-216.dat	upx
behavioral2/files/0x0007000000022e54-210.dat	upx
behavioral2/memory/1584-224-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e5a-226.dat	upx
behavioral2/files/0x0007000000022e5a-237.dat	upx
behavioral2/memory/4152-242-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2236-235-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2236-233-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e54-231.dat	upx
behavioral2/memory/1324-244-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e54-220.dat	upx
behavioral2/memory/4236-204-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e54-200.dat	upx
behavioral2/memory/4628-194-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e54-190.dat	upx
behavioral2/memory/4628-186-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e54-179.dat	upx
behavioral2/files/0x0007000000022e54-169.dat	upx
behavioral2/files/0x0007000000022e54-159.dat	upx
behavioral2/files/0x0007000000022e54-149.dat	upx
behavioral2/memory/3912-247-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1324-250-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3912-252-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3732-254-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3732-258-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4160-259-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4160-263-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2628-267-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1176-268-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1176-271-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1420-275-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3192-279-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/208-282-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/208-285-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5044-286-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5044-289-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3836-291-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4220-292-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3416-293-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3416-294-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3416-295-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3608-296-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1276-297-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2648-298-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2648-299-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2400-300-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3240-301-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240674562.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240697812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240588656.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240648968.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240703109.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240628359.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240670421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240671312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240699640.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240700500.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240702531.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240703531.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240587890.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240588171.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240631593.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240701046.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240675156.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240676890.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240677312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240702062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240669421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240670734.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240627890.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240702828.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240697109.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240703609.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240587656.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240626703.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240675640.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240677750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240700218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240705031.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240587046.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240635921.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240648687.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240669234.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240676500.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240705265.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240586796.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240589843.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240628890.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240671125.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240675390.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240676218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240677109.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240700781.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240589031.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240589640.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240588390.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240674375.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240675921.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240677515.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240677921.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240698953.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240699953.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240589359.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240674078.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240674875.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240678109.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240701718.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240620671.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240671656.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240631187.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240648500.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240671312.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240674375.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240676703.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240697109.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240699953.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240588390.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240648687.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240671125.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240699953.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240703531.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240701046.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240701046.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240702828.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240631187.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240669921.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240698484.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240670734.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240677750.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240700218.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240620671.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240627890.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240668781.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240700500.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240676218.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240699640.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240700500.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240588171.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240677515.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240702062.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240703531.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240705031.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240668781.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240669421.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240678109.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240589031.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240671656.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240677312.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240674875.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240677750.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240700218.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240700781.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240588656.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240669234.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240669234.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240628890.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240675156.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240676218.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240700781.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240701046.exe
File created	C:\Windows\SysWOW64\notpad.exe-	d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240589031.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240628359.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240700218.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240701718.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240588656.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240648500.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240676703.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240587890.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240670734.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240702531.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240677515.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240703609.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240703781.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240669421.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240630765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240668781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240700218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240631187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240701046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240702062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240703531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240671125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240675640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240677312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240677515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240588828.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240627890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240628890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240648500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240678109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240620671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240628359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240635921.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240697109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240677750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240703609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240703109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240587656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240631593.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240675921.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240702531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240676218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240626703.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240669421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240670421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240675390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240648968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240671656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240674375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240587046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240674078.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240676703.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240697812.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240677109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240698484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240699953.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240700781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240589031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240674562.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240675156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240705265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240701718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240587890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240589640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240669921.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240676500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240588656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240589359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240677921.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240700500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240588390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240669234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240702828.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240703781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240705031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240586796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240589843.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4296 wrote to memory of 4120	4296	d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034.exe	79
PID 4296 wrote to memory of 4120	4296	d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034.exe	79
PID 4296 wrote to memory of 4120	4296	d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034.exe	79
PID 4120 wrote to memory of 1300	4120	notpad.exe	80
PID 4120 wrote to memory of 1300	4120	notpad.exe	80
PID 4120 wrote to memory of 1300	4120	notpad.exe	80
PID 1300 wrote to memory of 4344	1300	tmp240586796.exe	82
PID 1300 wrote to memory of 4344	1300	tmp240586796.exe	82
PID 1300 wrote to memory of 4344	1300	tmp240586796.exe	82
PID 4120 wrote to memory of 1444	4120	notpad.exe	81
PID 4120 wrote to memory of 1444	4120	notpad.exe	81
PID 4120 wrote to memory of 1444	4120	notpad.exe	81
PID 4344 wrote to memory of 1888	4344	notpad.exe	112
PID 4344 wrote to memory of 1888	4344	notpad.exe	112
PID 4344 wrote to memory of 1888	4344	notpad.exe	112
PID 4344 wrote to memory of 4660	4344	notpad.exe	83
PID 4344 wrote to memory of 4660	4344	notpad.exe	83
PID 4344 wrote to memory of 4660	4344	notpad.exe	83
PID 1888 wrote to memory of 4232	1888	tmp240587046.exe	84
PID 1888 wrote to memory of 4232	1888	tmp240587046.exe	84
PID 1888 wrote to memory of 4232	1888	tmp240587046.exe	84
PID 4232 wrote to memory of 4200	4232	notpad.exe	111
PID 4232 wrote to memory of 4200	4232	notpad.exe	111
PID 4232 wrote to memory of 4200	4232	notpad.exe	111
PID 4232 wrote to memory of 2840	4232	notpad.exe	110
PID 4232 wrote to memory of 2840	4232	notpad.exe	110
PID 4232 wrote to memory of 2840	4232	notpad.exe	110
PID 4200 wrote to memory of 2804	4200	tmp240587656.exe	85
PID 4200 wrote to memory of 2804	4200	tmp240587656.exe	85
PID 4200 wrote to memory of 2804	4200	tmp240587656.exe	85
PID 2804 wrote to memory of 1776	2804	notpad.exe	86
PID 2804 wrote to memory of 1776	2804	notpad.exe	86
PID 2804 wrote to memory of 1776	2804	notpad.exe	86
PID 2804 wrote to memory of 4608	2804	notpad.exe	87
PID 2804 wrote to memory of 4608	2804	notpad.exe	87
PID 2804 wrote to memory of 4608	2804	notpad.exe	87
PID 1776 wrote to memory of 3836	1776	tmp240587890.exe	88
PID 1776 wrote to memory of 3836	1776	tmp240587890.exe	88
PID 1776 wrote to memory of 3836	1776	tmp240587890.exe	88
PID 3836 wrote to memory of 2280	3836	notpad.exe	109
PID 3836 wrote to memory of 2280	3836	notpad.exe	109
PID 3836 wrote to memory of 2280	3836	notpad.exe	109
PID 3836 wrote to memory of 312	3836	notpad.exe	108
PID 3836 wrote to memory of 312	3836	notpad.exe	108
PID 3836 wrote to memory of 312	3836	notpad.exe	108
PID 2280 wrote to memory of 4628	2280	tmp240588171.exe	107
PID 2280 wrote to memory of 4628	2280	tmp240588171.exe	107
PID 2280 wrote to memory of 4628	2280	tmp240588171.exe	107
PID 4628 wrote to memory of 1652	4628	notpad.exe	106
PID 4628 wrote to memory of 1652	4628	notpad.exe	106
PID 4628 wrote to memory of 1652	4628	notpad.exe	106
PID 4628 wrote to memory of 1120	4628	notpad.exe	89
PID 4628 wrote to memory of 1120	4628	notpad.exe	89
PID 4628 wrote to memory of 1120	4628	notpad.exe	89
PID 1652 wrote to memory of 4236	1652	tmp240588390.exe	105
PID 1652 wrote to memory of 4236	1652	tmp240588390.exe	105
PID 1652 wrote to memory of 4236	1652	tmp240588390.exe	105
PID 4236 wrote to memory of 4368	4236	notpad.exe	104
PID 4236 wrote to memory of 4368	4236	notpad.exe	104
PID 4236 wrote to memory of 4368	4236	notpad.exe	104
PID 4236 wrote to memory of 1064	4236	notpad.exe	90
PID 4236 wrote to memory of 1064	4236	notpad.exe	90
PID 4236 wrote to memory of 1064	4236	notpad.exe	90
PID 4368 wrote to memory of 3512	4368	tmp240588656.exe	103

C:\Users\Admin\AppData\Local\Temp\d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034.exe
"C:\Users\Admin\AppData\Local\Temp\d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4296
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Users\Admin\AppData\Local\Temp\tmp240586796.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240586796.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4344
    - - C:\Users\Admin\AppData\Local\Temp\tmp240587468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587468.exe
        5⤵
        Executes dropped EXE
        
        PID:4660
    - - C:\Users\Admin\AppData\Local\Temp\tmp240587046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587046.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1888
- - C:\Users\Admin\AppData\Local\Temp\tmp240586890.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240586890.exe
    3⤵
    - Executes dropped EXE
    PID:1444

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Users\Admin\AppData\Local\Temp\tmp240587734.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240587734.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Users\Admin\AppData\Local\Temp\tmp240587656.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240587656.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4200

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2804
- C:\Users\Admin\AppData\Local\Temp\tmp240587890.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240587890.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3836
  - - C:\Users\Admin\AppData\Local\Temp\tmp240588203.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240588203.exe
      4⤵
      Executes dropped EXE
      PID:312
  - - C:\Users\Admin\AppData\Local\Temp\tmp240588171.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240588171.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in System32 directory
      Suspicious use of WriteProcessMemory
      PID:2280
- C:\Users\Admin\AppData\Local\Temp\tmp240587968.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240587968.exe
  2⤵
  - Executes dropped EXE
  PID:4608

C:\Users\Admin\AppData\Local\Temp\tmp240588468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240588468.exe
1⤵
- Executes dropped EXE
PID:1120

C:\Users\Admin\AppData\Local\Temp\tmp240588718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240588718.exe
1⤵
- Executes dropped EXE
PID:1064

C:\Users\Admin\AppData\Local\Temp\tmp240588875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240588875.exe
1⤵
- Executes dropped EXE
PID:3724

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:1584
- C:\Users\Admin\AppData\Local\Temp\tmp240589031.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240589031.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  PID:3516
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    PID:2236
  - - C:\Users\Admin\AppData\Local\Temp\tmp240589359.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240589359.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Modifies registry class
      PID:3200
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        
        PID:4152
  - - C:\Users\Admin\AppData\Local\Temp\tmp240589390.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240589390.exe
      4⤵
      Executes dropped EXE
      PID:3668
- C:\Users\Admin\AppData\Local\Temp\tmp240589218.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240589218.exe
  2⤵
  - Executes dropped EXE
  PID:4680

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:1324
- C:\Users\Admin\AppData\Local\Temp\tmp240589843.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240589843.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies registry class
  PID:1612
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    PID:3912
  - - C:\Users\Admin\AppData\Local\Temp\tmp240620671.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240620671.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in System32 directory
      Modifies registry class
      PID:1748
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        
        PID:3732
      - C:\Users\Admin\AppData\Local\Temp\tmp240626703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626703.exe
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:2684
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Executes dropped EXE
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627890.exe
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1044
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628359.exe
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        Executes dropped EXE
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628890.exe
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1436
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        Executes dropped EXE
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630765.exe
        14⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:688
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        Executes dropped EXE
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631187.exe
        16⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        Executes dropped EXE
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631593.exe
        18⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        Executes dropped EXE
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635921.exe
        20⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:3616
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        Executes dropped EXE
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648500.exe
        22⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648687.exe
        24⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648968.exe
        26⤵
        Checks computer location settings
        Modifies registry class
        
        PID:484
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668781.exe
        28⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669234.exe
        30⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669421.exe
        32⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1764
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669921.exe
        34⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670421.exe
        36⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1720
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670734.exe
        38⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4884
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671125.exe
        40⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4788
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671312.exe
        42⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4280
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671656.exe
        44⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2168
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674078.exe
        46⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2076
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674375.exe
        48⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4996
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674562.exe
        50⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2316
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674875.exe
        52⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4144
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        53⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675156.exe
        54⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1128
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        55⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675390.exe
        56⤵
        Checks computer location settings
        Modifies registry class
        
        PID:628
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        57⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675640.exe
        58⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        59⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675921.exe
        60⤵
        Checks computer location settings
        Modifies registry class
        
        PID:224
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        61⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676218.exe
        62⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1776
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        63⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676500.exe
        64⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1404
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        65⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676703.exe
        66⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        67⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676890.exe
        68⤵
        Checks computer location settings
        
        PID:2296
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        69⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677125.exe
        70⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677109.exe
        70⤵
        Checks computer location settings
        Modifies registry class
        
        PID:860
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        71⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677312.exe
        72⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:832
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        73⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677515.exe
        74⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3900
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        75⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677750.exe
        76⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        77⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677921.exe
        78⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4880
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        79⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678109.exe
        80⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2836
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        81⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697109.exe
        82⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1324
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        83⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697812.exe
        84⤵
        Checks computer location settings
        Modifies registry class
        
        PID:912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        85⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698484.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4676
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        87⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698953.exe
        88⤵
        Checks computer location settings
        
        PID:1044
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        89⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699640.exe
        90⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        91⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699953.exe
        92⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1732
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        93⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700218.exe
        94⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1440
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        95⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700500.exe
        96⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        97⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700781.exe
        98⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4532
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        99⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701046.exe
        100⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4352
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        101⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701718.exe
        102⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        103⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702062.exe
        104⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        105⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702531.exe
        106⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1388
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        107⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702828.exe
        108⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        109⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703109.exe
        110⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        111⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703609.exe
        112⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2828
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        113⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704281.exe
        114⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704437.exe
        114⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704734.exe
        115⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704765.exe
        115⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704109.exe
        112⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704703.exe
        113⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704859.exe
        113⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703328.exe
        110⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703531.exe
        111⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        112⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703781.exe
        113⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        114⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705031.exe
        115⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        116⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705265.exe
        117⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        118⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711968.exe
        119⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706390.exe
        117⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705062.exe
        115⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711656.exe
        116⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704453.exe
        113⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704781.exe
        114⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704937.exe
        114⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703593.exe
        111⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702906.exe
        108⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703015.exe
        109⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703046.exe
        109⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702609.exe
        106⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702718.exe
        107⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702781.exe
        107⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702140.exe
        104⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701796.exe
        102⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701359.exe
        100⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700843.exe
        98⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700531.exe
        96⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700312.exe
        94⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700062.exe
        92⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699750.exe
        90⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699203.exe
        88⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698781.exe
        86⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698296.exe
        84⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697640.exe
        82⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678781.exe
        80⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677937.exe
        78⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677765.exe
        76⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677531.exe
        74⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677343.exe
        72⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676921.exe
        68⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676718.exe
        66⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676546.exe
        64⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676296.exe
        62⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676046.exe
        60⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675734.exe
        58⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675484.exe
        56⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675234.exe
        54⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674968.exe
        52⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674703.exe
        50⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674406.exe
        48⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674187.exe
        46⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671828.exe
        44⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671468.exe
        42⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671140.exe
        40⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670796.exe
        38⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670531.exe
        36⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670218.exe
        34⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669734.exe
        32⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669250.exe
        30⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669078.exe
        28⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650265.exe
        26⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648734.exe
        24⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648546.exe
        22⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648250.exe
        20⤵
        Executes dropped EXE
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631828.exe
        18⤵
        Executes dropped EXE
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631359.exe
        16⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630953.exe
        14⤵
        Executes dropped EXE
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629203.exe
        12⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628734.exe
        10⤵
        Executes dropped EXE
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628203.exe
        8⤵
        Executes dropped EXE
        
        PID:1564
      - C:\Users\Admin\AppData\Local\Temp\tmp240627671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627671.exe
        6⤵
        Executes dropped EXE
        
        PID:4148
  - - C:\Users\Admin\AppData\Local\Temp\tmp240626281.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240626281.exe
      4⤵
      Executes dropped EXE
      PID:3896
- C:\Users\Admin\AppData\Local\Temp\tmp240613515.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240613515.exe
  2⤵
  - Executes dropped EXE
  PID:1116

C:\Users\Admin\AppData\Local\Temp\tmp240589671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240589671.exe
1⤵
- Executes dropped EXE
PID:4208

C:\Users\Admin\AppData\Local\Temp\tmp240589640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240589640.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:2828

C:\Users\Admin\AppData\Local\Temp\tmp240588828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240588828.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:4268

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:3512

C:\Users\Admin\AppData\Local\Temp\tmp240588656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240588656.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4236

C:\Users\Admin\AppData\Local\Temp\tmp240588390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240588390.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4628

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240586796.exe

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240586796.exe

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240586890.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240587046.exe

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240587046.exe

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240587468.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240587656.exe

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240587656.exe

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240587734.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240587890.exe

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240587890.exe

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240587968.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588171.exe

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588171.exe

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588203.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588390.exe

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588390.exe

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588468.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588656.exe

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588656.exe

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588718.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588828.exe

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588828.exe

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588875.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589031.exe

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589031.exe

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589218.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589359.exe

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589359.exe

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589390.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589640.exe

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589640.exe

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
290KB

MD5
2f5028a3c344d1a7cb45563e7641bb30

SHA1
8e4b97268082a2d4d3af1b6d875c86e44c041842

SHA256
d4139ed12fbe586c7b65902b07038d03b79b057b528c45f68115dd2dbb928034

SHA512
0ab29058e2571832baad0aae732b4ace136036881348ca4104c1583ed63c34a5ec6c4328ab90fd1214ff1380210c57cebf353a859f97d3f2d2f63f516873746f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
463KB

MD5
0ab8095a4a19f15e51106b162f53022a

SHA1
91bf25100174d79b3e03794c661ccff6a7ac4b71

SHA256
04a186c47b52ab7c2bb54472709320c221dab28f82f7aebc6ae50464898e6c3d

SHA512
abe4217b6d3a64b71218d7c5fb5caa2ffa3d53275cb23f15eed96e2ff8d6a418a6f8fe63e6624b0f1c916babbce3d9bc4e0dbc04b3433ea0316d2a88af8f7fe1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
463KB

MD5
0ab8095a4a19f15e51106b162f53022a

SHA1
91bf25100174d79b3e03794c661ccff6a7ac4b71

SHA256
04a186c47b52ab7c2bb54472709320c221dab28f82f7aebc6ae50464898e6c3d

SHA512
abe4217b6d3a64b71218d7c5fb5caa2ffa3d53275cb23f15eed96e2ff8d6a418a6f8fe63e6624b0f1c916babbce3d9bc4e0dbc04b3433ea0316d2a88af8f7fe1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
463KB

MD5
0ab8095a4a19f15e51106b162f53022a

SHA1
91bf25100174d79b3e03794c661ccff6a7ac4b71

SHA256
04a186c47b52ab7c2bb54472709320c221dab28f82f7aebc6ae50464898e6c3d

SHA512
abe4217b6d3a64b71218d7c5fb5caa2ffa3d53275cb23f15eed96e2ff8d6a418a6f8fe63e6624b0f1c916babbce3d9bc4e0dbc04b3433ea0316d2a88af8f7fe1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
463KB

MD5
0ab8095a4a19f15e51106b162f53022a

SHA1
91bf25100174d79b3e03794c661ccff6a7ac4b71

SHA256
04a186c47b52ab7c2bb54472709320c221dab28f82f7aebc6ae50464898e6c3d

SHA512
abe4217b6d3a64b71218d7c5fb5caa2ffa3d53275cb23f15eed96e2ff8d6a418a6f8fe63e6624b0f1c916babbce3d9bc4e0dbc04b3433ea0316d2a88af8f7fe1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
463KB

MD5
0ab8095a4a19f15e51106b162f53022a

SHA1
91bf25100174d79b3e03794c661ccff6a7ac4b71

SHA256
04a186c47b52ab7c2bb54472709320c221dab28f82f7aebc6ae50464898e6c3d

SHA512
abe4217b6d3a64b71218d7c5fb5caa2ffa3d53275cb23f15eed96e2ff8d6a418a6f8fe63e6624b0f1c916babbce3d9bc4e0dbc04b3433ea0316d2a88af8f7fe1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
463KB

MD5
0ab8095a4a19f15e51106b162f53022a

SHA1
91bf25100174d79b3e03794c661ccff6a7ac4b71

SHA256
04a186c47b52ab7c2bb54472709320c221dab28f82f7aebc6ae50464898e6c3d

SHA512
abe4217b6d3a64b71218d7c5fb5caa2ffa3d53275cb23f15eed96e2ff8d6a418a6f8fe63e6624b0f1c916babbce3d9bc4e0dbc04b3433ea0316d2a88af8f7fe1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
463KB

MD5
0ab8095a4a19f15e51106b162f53022a

SHA1
91bf25100174d79b3e03794c661ccff6a7ac4b71

SHA256
04a186c47b52ab7c2bb54472709320c221dab28f82f7aebc6ae50464898e6c3d

SHA512
abe4217b6d3a64b71218d7c5fb5caa2ffa3d53275cb23f15eed96e2ff8d6a418a6f8fe63e6624b0f1c916babbce3d9bc4e0dbc04b3433ea0316d2a88af8f7fe1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
463KB

MD5
0ab8095a4a19f15e51106b162f53022a

SHA1
91bf25100174d79b3e03794c661ccff6a7ac4b71

SHA256
04a186c47b52ab7c2bb54472709320c221dab28f82f7aebc6ae50464898e6c3d

SHA512
abe4217b6d3a64b71218d7c5fb5caa2ffa3d53275cb23f15eed96e2ff8d6a418a6f8fe63e6624b0f1c916babbce3d9bc4e0dbc04b3433ea0316d2a88af8f7fe1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
463KB

MD5
0ab8095a4a19f15e51106b162f53022a

SHA1
91bf25100174d79b3e03794c661ccff6a7ac4b71

SHA256
04a186c47b52ab7c2bb54472709320c221dab28f82f7aebc6ae50464898e6c3d

SHA512
abe4217b6d3a64b71218d7c5fb5caa2ffa3d53275cb23f15eed96e2ff8d6a418a6f8fe63e6624b0f1c916babbce3d9bc4e0dbc04b3433ea0316d2a88af8f7fe1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
463KB

MD5
0ab8095a4a19f15e51106b162f53022a

SHA1
91bf25100174d79b3e03794c661ccff6a7ac4b71

SHA256
04a186c47b52ab7c2bb54472709320c221dab28f82f7aebc6ae50464898e6c3d

SHA512
abe4217b6d3a64b71218d7c5fb5caa2ffa3d53275cb23f15eed96e2ff8d6a418a6f8fe63e6624b0f1c916babbce3d9bc4e0dbc04b3433ea0316d2a88af8f7fe1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
463KB

MD5
0ab8095a4a19f15e51106b162f53022a

SHA1
91bf25100174d79b3e03794c661ccff6a7ac4b71

SHA256
04a186c47b52ab7c2bb54472709320c221dab28f82f7aebc6ae50464898e6c3d

SHA512
abe4217b6d3a64b71218d7c5fb5caa2ffa3d53275cb23f15eed96e2ff8d6a418a6f8fe63e6624b0f1c916babbce3d9bc4e0dbc04b3433ea0316d2a88af8f7fe1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
463KB

MD5
0ab8095a4a19f15e51106b162f53022a

SHA1
91bf25100174d79b3e03794c661ccff6a7ac4b71

SHA256
04a186c47b52ab7c2bb54472709320c221dab28f82f7aebc6ae50464898e6c3d

SHA512
abe4217b6d3a64b71218d7c5fb5caa2ffa3d53275cb23f15eed96e2ff8d6a418a6f8fe63e6624b0f1c916babbce3d9bc4e0dbc04b3433ea0316d2a88af8f7fe1

Download Submit
memory/208-280-0x0000000000000000-mapping.dmp

Download
memory/208-282-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/208-285-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/312-181-0x0000000000000000-mapping.dmp

Download
memory/688-273-0x0000000000000000-mapping.dmp

Download
memory/1004-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1044-260-0x0000000000000000-mapping.dmp

Download
memory/1064-202-0x0000000000000000-mapping.dmp

Download
memory/1068-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1068-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1116-248-0x0000000000000000-mapping.dmp

Download
memory/1120-192-0x0000000000000000-mapping.dmp

Download
memory/1176-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1176-265-0x0000000000000000-mapping.dmp

Download
memory/1176-271-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1276-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1300-135-0x0000000000000000-mapping.dmp

Download
memory/1324-243-0x0000000000000000-mapping.dmp

Download
memory/1324-250-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1324-244-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1372-270-0x0000000000000000-mapping.dmp

Download
memory/1420-275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1420-272-0x0000000000000000-mapping.dmp

Download
memory/1436-269-0x0000000000000000-mapping.dmp

Download
memory/1444-142-0x0000000000000000-mapping.dmp

Download
memory/1564-262-0x0000000000000000-mapping.dmp

Download
memory/1584-224-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1584-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1584-215-0x0000000000000000-mapping.dmp

Download
memory/1612-245-0x0000000000000000-mapping.dmp

Download
memory/1652-187-0x0000000000000000-mapping.dmp

Download
memory/1728-303-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1728-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1732-266-0x0000000000000000-mapping.dmp

Download
memory/1748-249-0x0000000000000000-mapping.dmp

Download
memory/1776-166-0x0000000000000000-mapping.dmp

Download
memory/1792-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1888-146-0x0000000000000000-mapping.dmp

Download
memory/1952-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2236-235-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2236-233-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2236-225-0x0000000000000000-mapping.dmp

Download
memory/2280-176-0x0000000000000000-mapping.dmp

Download
memory/2324-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2388-278-0x0000000000000000-mapping.dmp

Download
memory/2400-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2628-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2628-261-0x0000000000000000-mapping.dmp

Download
memory/2648-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2648-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2684-255-0x0000000000000000-mapping.dmp

Download
memory/2804-164-0x0000000000000000-mapping.dmp

Download
memory/2804-173-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2828-238-0x0000000000000000-mapping.dmp

Download
memory/2836-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2840-161-0x0000000000000000-mapping.dmp

Download
memory/3080-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3116-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3192-279-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3192-276-0x0000000000000000-mapping.dmp

Download
memory/3200-227-0x0000000000000000-mapping.dmp

Download
memory/3240-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3240-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3416-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3416-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3416-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3512-205-0x0000000000000000-mapping.dmp

Download
memory/3512-214-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3516-217-0x0000000000000000-mapping.dmp

Download
memory/3592-288-0x0000000000000000-mapping.dmp

Download
memory/3608-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3616-287-0x0000000000000000-mapping.dmp

Download
memory/3616-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3668-230-0x0000000000000000-mapping.dmp

Download
memory/3724-212-0x0000000000000000-mapping.dmp

Download
memory/3728-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3732-254-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3732-253-0x0000000000000000-mapping.dmp

Download
memory/3732-258-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3836-183-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3836-290-0x0000000000000000-mapping.dmp

Download
memory/3836-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3836-174-0x0000000000000000-mapping.dmp

Download
memory/3888-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3896-251-0x0000000000000000-mapping.dmp

Download
memory/3912-246-0x0000000000000000-mapping.dmp

Download
memory/3912-247-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3912-252-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4116-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4120-132-0x0000000000000000-mapping.dmp

Download
memory/4120-144-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4132-264-0x0000000000000000-mapping.dmp

Download
memory/4132-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4140-281-0x0000000000000000-mapping.dmp

Download
memory/4148-257-0x0000000000000000-mapping.dmp

Download
memory/4152-242-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4152-236-0x0000000000000000-mapping.dmp

Download
memory/4160-256-0x0000000000000000-mapping.dmp

Download
memory/4160-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4160-259-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4200-156-0x0000000000000000-mapping.dmp

Download
memory/4208-241-0x0000000000000000-mapping.dmp

Download
memory/4220-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4232-154-0x0000000000000000-mapping.dmp

Download
memory/4232-163-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4236-204-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4236-195-0x0000000000000000-mapping.dmp

Download
memory/4268-207-0x0000000000000000-mapping.dmp

Download
memory/4344-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4344-153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4344-140-0x0000000000000000-mapping.dmp

Download
memory/4344-145-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4344-274-0x0000000000000000-mapping.dmp

Download
memory/4368-197-0x0000000000000000-mapping.dmp

Download
memory/4396-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4460-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4608-171-0x0000000000000000-mapping.dmp

Download
memory/4628-184-0x0000000000000000-mapping.dmp

Download
memory/4628-194-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4628-186-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4660-151-0x0000000000000000-mapping.dmp

Download
memory/4680-222-0x0000000000000000-mapping.dmp

Download
memory/4856-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5012-277-0x0000000000000000-mapping.dmp

Download
memory/5016-283-0x0000000000000000-mapping.dmp

Download
memory/5044-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5044-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5044-284-0x0000000000000000-mapping.dmp

Download