405d9b1ffab12d04a8305b48a2fa1ad59b0977b48e63b19806c19dff10fcf306

Analysis

max time kernel
71s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 21:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

405d9b1ffab12d04a8305b48a2fa1ad59b0977b48e63b19806c19dff10fcf306.exe
Size

5.3MB
MD5

6c44edc89aabd8ef3f32bf53b80919ba
SHA1

a476eb971501af4541fb6a97a049ab604f112c3b
SHA256

405d9b1ffab12d04a8305b48a2fa1ad59b0977b48e63b19806c19dff10fcf306
SHA512

209f1d3acffda8acaeee06462b2eb8cd5062e984e48b354f4650327a979048f3e83e06fa4391017133af8a62a644f3d1ab03cf6cc57a7b4d60cf8fe9c5ea36b6
SSDEEP

24576:+DyTFtjjDyTFtjuDyTFtjjDyTFtjUDyTFtjjDyTFtj:rtwtvtwtZtwt

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
3856	tmp240568093.exe
1528	tmp240568140.exe
3060	tmp240568312.exe
3400	tmp240568453.exe
5076	tmp240568609.exe
1148	tmp240568734.exe
3196	notpad.exe
3700	notpad.exe
3652	notpad.exe
4084	tmp240575437.exe
3692	tmp240575781.exe
2852	tmp240598687.exe
4012	tmp240577531.exe
1304	tmp240598890.exe
792	tmp240579343.exe
368	notpad.exe
2540	tmp240579625.exe
2796	tmp240589187.exe
3436	tmp240589656.exe
3844	tmp240580937.exe
2496	tmp240582234.exe
4944	tmp240657343.exe
3832	tmp240582484.exe
4236	tmp240582578.exe
1840	notpad.exe
5028	tmp240582875.exe
3820	tmp240626234.exe
4332	notpad.exe
4624	tmp240583265.exe
4100	tmp240693671.exe
2396	notpad.exe
3408	tmp240583671.exe
2688	tmp240583703.exe
1212	tmp240679390.exe
4380	tmp240584000.exe
532	tmp240600187.exe
2984	tmp240600390.exe
2680	tmp240586078.exe
4760	tmp240705687.exe
5100	notpad.exe
844	tmp240600546.exe
1608	notpad.exe
1820	notpad.exe
4716	tmp240586937.exe
4364	tmp240600687.exe
4960	tmp240664656.exe
3388	tmp240636656.exe
4220	tmp240587203.exe
4432	tmp240597437.exe
1644	notpad.exe
1344	tmp240710468.exe
4620	tmp240710921.exe
3508	tmp240711078.exe
1104	tmp240693156.exe
4124	tmp240710421.exe
1484	tmp240688734.exe
3088	tmp240690015.exe
3952	notpad.exe
3700	notpad.exe
3948	tmp240673062.exe
1276	tmp240588640.exe
4140	notpad.exe
4308	tmp240694625.exe
4676	tmp240598718.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0003000000022dd3-136.dat	upx
behavioral2/memory/4996-137-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022dd3-138.dat	upx
behavioral2/files/0x0003000000022ddd-143.dat	upx
behavioral2/files/0x0003000000022ddd-144.dat	upx
behavioral2/memory/1528-145-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3400-149-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3400-152-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022ddc-157.dat	upx
behavioral2/files/0x0003000000022ddc-156.dat	upx
behavioral2/files/0x0002000000022dda-161.dat	upx
behavioral2/files/0x0003000000022ddc-164.dat	upx
behavioral2/memory/3196-167-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3652-168-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0002000000022dda-172.dat	upx
behavioral2/files/0x0003000000022ddc-175.dat	upx
behavioral2/memory/3652-178-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2852-179-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2852-187-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022ddc-189.dat	upx
behavioral2/files/0x0002000000022dda-184.dat	upx
behavioral2/memory/368-190-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/368-198-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022ddc-200.dat	upx
behavioral2/files/0x0002000000022dda-195.dat	upx
behavioral2/memory/3436-201-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022ddc-211.dat	upx
behavioral2/memory/4944-219-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022ddc-221.dat	upx
behavioral2/memory/1840-229-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022ddc-231.dat	upx
behavioral2/memory/4332-239-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0002000000022dda-236.dat	upx
behavioral2/memory/2396-246-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022ddc-241.dat	upx
behavioral2/memory/1212-248-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0002000000022dda-226.dat	upx
behavioral2/files/0x0002000000022dda-215.dat	upx
behavioral2/memory/3436-209-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0002000000022dda-205.dat	upx
behavioral2/memory/1212-251-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2984-255-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5100-259-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4960-267-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4432-270-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1644-274-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3508-278-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1484-282-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3700-287-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4140-291-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4352-292-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4408-293-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4052-294-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5092-296-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1440-297-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3920-298-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3532-299-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3776-300-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1520-301-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3828-302-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4892-295-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3700-284-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4432-269-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1820-263-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 54 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240694625.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240591250.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240675937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240695750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240707796.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240599093.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240672421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240589187.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240686312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240629250.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240650000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240624406.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240575781.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240636656.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240693156.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240673062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240599859.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240670468.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240667609.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240598328.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	notpad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240600546.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240710468.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240629281.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240583671.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240589000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240695328.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240675093.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240654156.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240664718.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240582484.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240583265.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240710812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240589656.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240654328.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240632593.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240626234.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240584000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240597437.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240568093.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240582875.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240586078.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240705937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240579625.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240580937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240586937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240600187.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240597828.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240690015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240601203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240598890.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240599390.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240711109.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240600687.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notpad.exe	tmp240584000.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240586078.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240710468.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240695750.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240599859.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240650000.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240583265.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240583671.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240600546.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240711109.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240598328.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240580937.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240599390.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240707796.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240601203.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240583265.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240710812.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240654156.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240568093.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240575781.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240579625.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240586937.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240690015.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240694625.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240695328.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240695328.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240711109.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240670468.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240632593.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240672421.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240710468.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240589000.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240629281.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240670468.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240675937.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240675093.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240626234.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240575781.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240591250.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240599390.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240670468.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240629250.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240650000.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240568093.exe
File created	C:\Windows\SysWOW64\notpad.exe	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240710468.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240673062.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240695328.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240597828.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240582875.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240636656.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240694625.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240629281.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240597828.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240599093.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240583265.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240587421.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240707796.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240686312.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240598328.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240654328.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240601203.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240575781.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2416	1148	WerFault.exe	86

Modifies registry class 55 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240582875.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240583671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240586937.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240673062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240675937.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240599390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240600187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240672421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240654156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240690015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240686312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240650000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240597828.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240584000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240707796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240711109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240695750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240710812.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240568093.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240575781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240599859.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240583265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240694625.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240629281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240695328.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240670468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240664718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240667609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240579625.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240601203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240626234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240586078.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240591250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240629250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240600687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240598890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240600546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240636656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240587421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240632593.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240675093.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240693156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240589656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240582484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240597437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240598328.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240599093.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240624406.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240589000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240589187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240705937.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240580937.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240710468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240654328.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 3856	4996	405d9b1ffab12d04a8305b48a2fa1ad59b0977b48e63b19806c19dff10fcf306.exe	81
PID 4996 wrote to memory of 3856	4996	405d9b1ffab12d04a8305b48a2fa1ad59b0977b48e63b19806c19dff10fcf306.exe	81
PID 4996 wrote to memory of 3856	4996	405d9b1ffab12d04a8305b48a2fa1ad59b0977b48e63b19806c19dff10fcf306.exe	81
PID 4996 wrote to memory of 1528	4996	405d9b1ffab12d04a8305b48a2fa1ad59b0977b48e63b19806c19dff10fcf306.exe	82
PID 4996 wrote to memory of 1528	4996	405d9b1ffab12d04a8305b48a2fa1ad59b0977b48e63b19806c19dff10fcf306.exe	82
PID 4996 wrote to memory of 1528	4996	405d9b1ffab12d04a8305b48a2fa1ad59b0977b48e63b19806c19dff10fcf306.exe	82
PID 1528 wrote to memory of 3060	1528	tmp240568140.exe	83
PID 1528 wrote to memory of 3060	1528	tmp240568140.exe	83
PID 1528 wrote to memory of 3060	1528	tmp240568140.exe	83
PID 1528 wrote to memory of 3400	1528	tmp240568140.exe	84
PID 1528 wrote to memory of 3400	1528	tmp240568140.exe	84
PID 1528 wrote to memory of 3400	1528	tmp240568140.exe	84
PID 3400 wrote to memory of 5076	3400	tmp240568453.exe	85
PID 3400 wrote to memory of 5076	3400	tmp240568453.exe	85
PID 3400 wrote to memory of 5076	3400	tmp240568453.exe	85
PID 3400 wrote to memory of 1148	3400	tmp240568453.exe	86
PID 3400 wrote to memory of 1148	3400	tmp240568453.exe	86
PID 3400 wrote to memory of 1148	3400	tmp240568453.exe	86
PID 3856 wrote to memory of 3196	3856	tmp240568093.exe	89
PID 3856 wrote to memory of 3196	3856	tmp240568093.exe	89
PID 3856 wrote to memory of 3196	3856	tmp240568093.exe	89
PID 3196 wrote to memory of 3700	3196	notpad.exe	170
PID 3196 wrote to memory of 3700	3196	notpad.exe	170
PID 3196 wrote to memory of 3700	3196	notpad.exe	170
PID 3700 wrote to memory of 3652	3700	notpad.exe	91
PID 3700 wrote to memory of 3652	3700	notpad.exe	91
PID 3700 wrote to memory of 3652	3700	notpad.exe	91
PID 3196 wrote to memory of 4084	3196	notpad.exe	92
PID 3196 wrote to memory of 4084	3196	notpad.exe	92
PID 3196 wrote to memory of 4084	3196	notpad.exe	92
PID 3652 wrote to memory of 3692	3652	notpad.exe	93
PID 3652 wrote to memory of 3692	3652	notpad.exe	93
PID 3652 wrote to memory of 3692	3652	notpad.exe	93
PID 3692 wrote to memory of 2852	3692	tmp240575781.exe	202
PID 3692 wrote to memory of 2852	3692	tmp240575781.exe	202
PID 3692 wrote to memory of 2852	3692	tmp240575781.exe	202
PID 3652 wrote to memory of 4012	3652	notpad.exe	95
PID 3652 wrote to memory of 4012	3652	notpad.exe	95
PID 3652 wrote to memory of 4012	3652	notpad.exe	95
PID 2852 wrote to memory of 1304	2852	tmp240598687.exe	251
PID 2852 wrote to memory of 1304	2852	tmp240598687.exe	251
PID 2852 wrote to memory of 1304	2852	tmp240598687.exe	251
PID 2852 wrote to memory of 792	2852	tmp240598687.exe	98
PID 2852 wrote to memory of 792	2852	tmp240598687.exe	98
PID 2852 wrote to memory of 792	2852	tmp240598687.exe	98
PID 1304 wrote to memory of 368	1304	tmp240598890.exe	97
PID 1304 wrote to memory of 368	1304	tmp240598890.exe	97
PID 1304 wrote to memory of 368	1304	tmp240598890.exe	97
PID 368 wrote to memory of 2540	368	notpad.exe	101
PID 368 wrote to memory of 2540	368	notpad.exe	101
PID 368 wrote to memory of 2540	368	notpad.exe	101
PID 368 wrote to memory of 2796	368	notpad.exe	165
PID 368 wrote to memory of 2796	368	notpad.exe	165
PID 368 wrote to memory of 2796	368	notpad.exe	165
PID 2540 wrote to memory of 3436	2540	tmp240579625.exe	139
PID 2540 wrote to memory of 3436	2540	tmp240579625.exe	139
PID 2540 wrote to memory of 3436	2540	tmp240579625.exe	139
PID 3436 wrote to memory of 3844	3436	tmp240589656.exe	116
PID 3436 wrote to memory of 3844	3436	tmp240589656.exe	116
PID 3436 wrote to memory of 3844	3436	tmp240589656.exe	116
PID 3436 wrote to memory of 2496	3436	tmp240589656.exe	102
PID 3436 wrote to memory of 2496	3436	tmp240589656.exe	102
PID 3436 wrote to memory of 2496	3436	tmp240589656.exe	102
PID 3844 wrote to memory of 4944	3844	tmp240580937.exe	376

C:\Users\Admin\AppData\Local\Temp\405d9b1ffab12d04a8305b48a2fa1ad59b0977b48e63b19806c19dff10fcf306.exe
"C:\Users\Admin\AppData\Local\Temp\405d9b1ffab12d04a8305b48a2fa1ad59b0977b48e63b19806c19dff10fcf306.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Users\Admin\AppData\Local\Temp\tmp240568093.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240568093.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3196
  - - C:\Users\Admin\AppData\Local\Temp\tmp240575000.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240575000.exe
      4⤵
      PID:3700
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3652
      - C:\Users\Admin\AppData\Local\Temp\tmp240575781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240575781.exe
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240577718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240577718.exe
        8⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240580671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240580671.exe
        10⤵
        
        PID:2796
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240579625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240579625.exe
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240579343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240579343.exe
        8⤵
        Executes dropped EXE
        
        PID:792
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694875.exe
        10⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694828.exe
        10⤵
        
        PID:5072
      - C:\Users\Admin\AppData\Local\Temp\tmp240577531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240577531.exe
        6⤵
        Executes dropped EXE
        
        PID:4012
    - - C:\Users\Admin\AppData\Local\Temp\tmp240588593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588593.exe
        5⤵
        
        PID:3948
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        
        PID:4140
    - - C:\Users\Admin\AppData\Local\Temp\tmp240588640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588640.exe
        5⤵
        Executes dropped EXE
        
        PID:1276
  - - C:\Users\Admin\AppData\Local\Temp\tmp240575437.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240575437.exe
      4⤵
      Executes dropped EXE
      PID:4084
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:4352
    - - C:\Users\Admin\AppData\Local\Temp\tmp240654328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654328.exe
        5⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4708
    - - C:\Users\Admin\AppData\Local\Temp\tmp240655500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655500.exe
        5⤵
        
        PID:3056
      - C:\Users\Admin\AppData\Local\Temp\tmp240657359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657359.exe
        6⤵
        
        PID:980
      - C:\Users\Admin\AppData\Local\Temp\tmp240659828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659828.exe
        6⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663328.exe
        7⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666125.exe
        9⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669578.exe
        9⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672968.exe
        10⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673109.exe
        11⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676531.exe
        13⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678484.exe
        13⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681359.exe
        14⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681640.exe
        14⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684687.exe
        15⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686359.exe
        15⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675937.exe
        11⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671875.exe
        10⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665921.exe
        7⤵
        
        PID:704
- C:\Users\Admin\AppData\Local\Temp\tmp240568140.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240568140.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1528
- - C:\Users\Admin\AppData\Local\Temp\tmp240568312.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240568312.exe
    3⤵
    - Executes dropped EXE
    PID:3060
- - C:\Users\Admin\AppData\Local\Temp\tmp240568453.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240568453.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3400
  - - C:\Users\Admin\AppData\Local\Temp\tmp240568609.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240568609.exe
      4⤵
      Executes dropped EXE
      PID:5076
  - - C:\Users\Admin\AppData\Local\Temp\tmp240568734.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240568734.exe
      4⤵
      Executes dropped EXE
      PID:1148
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1148 -s 224
        5⤵
        Program crash
        
        PID:2416
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:820
    - - C:\Users\Admin\AppData\Local\Temp\tmp240691531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691531.exe
        5⤵
        
        PID:3344
    - - C:\Users\Admin\AppData\Local\Temp\tmp240692000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692000.exe
        5⤵
        
        PID:1636
      - C:\Users\Admin\AppData\Local\Temp\tmp240692546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692546.exe
        6⤵
        
        PID:2248
      - C:\Users\Admin\AppData\Local\Temp\tmp240693234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693234.exe
        6⤵
        
        PID:620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1148 -ip 1148
1⤵
PID:1728

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\tmp240582234.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240582234.exe
  2⤵
  - Executes dropped EXE
  PID:2496
- C:\Users\Admin\AppData\Local\Temp\tmp240580937.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240580937.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3844

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:4944
- C:\Users\Admin\AppData\Local\Temp\tmp240582484.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240582484.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies registry class
  PID:3832
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    PID:1840
- C:\Users\Admin\AppData\Local\Temp\tmp240582578.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240582578.exe
  2⤵
  - Executes dropped EXE
  PID:4236
- C:\Users\Admin\AppData\Local\Temp\tmp240599640.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240599640.exe
  2⤵
  PID:3428
- - C:\Users\Admin\AppData\Local\Temp\tmp240599750.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240599750.exe
    3⤵
    PID:3784
- - C:\Users\Admin\AppData\Local\Temp\tmp240599687.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240599687.exe
    3⤵
    PID:1324
- C:\Users\Admin\AppData\Local\Temp\tmp240599625.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240599625.exe
  2⤵
  PID:1404

C:\Users\Admin\AppData\Local\Temp\tmp240582937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240582937.exe
1⤵
PID:3820

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:4332
- C:\Users\Admin\AppData\Local\Temp\tmp240583265.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240583265.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  PID:4624
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    PID:2396
- C:\Users\Admin\AppData\Local\Temp\tmp240583296.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240583296.exe
  2⤵
  PID:4100

C:\Users\Admin\AppData\Local\Temp\tmp240583703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240583703.exe
1⤵
- Executes dropped EXE
PID:2688

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1212
- C:\Users\Admin\AppData\Local\Temp\tmp240584000.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240584000.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  PID:4380
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:2984
  - - C:\Users\Admin\AppData\Local\Temp\tmp240586453.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240586453.exe
      4⤵
      PID:4760
  - - C:\Users\Admin\AppData\Local\Temp\tmp240586078.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240586078.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in System32 directory
      Modifies registry class
      PID:2680
- C:\Users\Admin\AppData\Local\Temp\tmp240585671.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240585671.exe
  2⤵
  PID:532

C:\Users\Admin\AppData\Local\Temp\tmp240583671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240583671.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3408

C:\Users\Admin\AppData\Local\Temp\tmp240582875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240582875.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:5028

C:\Users\Admin\AppData\Local\Temp\tmp240586718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240586718.exe
1⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\tmp240586968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240586968.exe
1⤵
PID:4364

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:4432
- C:\Users\Admin\AppData\Local\Temp\tmp240587515.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240587515.exe
  2⤵
  PID:2324
- C:\Users\Admin\AppData\Local\Temp\tmp240587421.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240587421.exe
  2⤵
  - Drops file in System32 directory
  - Modifies registry class
  PID:4068
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:3988
- - C:\Users\Admin\AppData\Local\Temp\tmp240597656.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240597656.exe
    3⤵
    PID:5068
- - C:\Users\Admin\AppData\Local\Temp\tmp240597609.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240597609.exe
    3⤵
    PID:2316

C:\Users\Admin\AppData\Local\Temp\tmp240587812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240587812.exe
1⤵
PID:4620

C:\Users\Admin\AppData\Local\Temp\tmp240588015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240588015.exe
1⤵
PID:4124

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1484
- C:\Users\Admin\AppData\Local\Temp\tmp240588234.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240588234.exe
  2⤵
  PID:3088
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:3700
- C:\Users\Admin\AppData\Local\Temp\tmp240588406.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240588406.exe
  2⤵
  PID:3952
- C:\Users\Admin\AppData\Local\Temp\tmp240598328.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240598328.exe
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  PID:1040
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:2472
  - - C:\Users\Admin\AppData\Local\Temp\tmp240598546.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240598546.exe
      4⤵
      PID:3948
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:4308
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:260
      - C:\Users\Admin\AppData\Local\Temp\tmp240675296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675296.exe
        6⤵
        
        PID:3196
      - C:\Users\Admin\AppData\Local\Temp\tmp240676375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676375.exe
        6⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678515.exe
        7⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680593.exe
        7⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681656.exe
        8⤵
        
        PID:3420
  - - C:\Users\Admin\AppData\Local\Temp\tmp240598640.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240598640.exe
      4⤵
      PID:4788
  - - C:\Users\Admin\AppData\Local\Temp\tmp240711046.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240711046.exe
      4⤵
      PID:4036
  - - C:\Users\Admin\AppData\Local\Temp\tmp240710921.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240710921.exe
      4⤵
      Executes dropped EXE
      PID:4620
- C:\Users\Admin\AppData\Local\Temp\tmp240598343.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240598343.exe
  2⤵
  PID:2200

C:\Users\Admin\AppData\Local\Temp\tmp240588812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240588812.exe
1⤵
PID:4308
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:4352
- C:\Users\Admin\AppData\Local\Temp\tmp240598875.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240598875.exe
  2⤵
  PID:4708
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:3160
- C:\Users\Admin\AppData\Local\Temp\tmp240598890.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240598890.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1304

C:\Users\Admin\AppData\Local\Temp\tmp240588828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240588828.exe
1⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\tmp240589015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240589015.exe
1⤵
PID:1304
- C:\Users\Admin\AppData\Local\Temp\tmp240598921.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240598921.exe
  2⤵
  PID:4208
- C:\Users\Admin\AppData\Local\Temp\tmp240598937.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240598937.exe
  2⤵
  PID:4036

C:\Users\Admin\AppData\Local\Temp\tmp240589000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240589000.exe
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:424
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:4408
- - C:\Users\Admin\AppData\Local\Temp\tmp240589218.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240589218.exe
    3⤵
    PID:3252
- - C:\Users\Admin\AppData\Local\Temp\tmp240589187.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240589187.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Modifies registry class
    PID:2796

C:\Users\Admin\AppData\Local\Temp\tmp240589453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240589453.exe
1⤵
PID:4312
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:4484
- - C:\Users\Admin\AppData\Local\Temp\tmp240626359.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240626359.exe
    3⤵
    PID:536
- - C:\Users\Admin\AppData\Local\Temp\tmp240629250.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240629250.exe
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies registry class
    PID:1404
  - - C:\Users\Admin\AppData\Local\Temp\tmp240632468.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240632468.exe
      4⤵
      PID:2864
  - - C:\Users\Admin\AppData\Local\Temp\tmp240634796.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240634796.exe
      4⤵
      PID:2160
    - - C:\Users\Admin\AppData\Local\Temp\tmp240639531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639531.exe
        5⤵
        
        PID:704
    - - C:\Users\Admin\AppData\Local\Temp\tmp240645640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645640.exe
        5⤵
        
        PID:784

C:\Users\Admin\AppData\Local\Temp\tmp240589656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240589656.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:5092
- - C:\Users\Admin\AppData\Local\Temp\tmp240589859.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240589859.exe
    3⤵
    PID:4132
- - C:\Users\Admin\AppData\Local\Temp\tmp240589843.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240589843.exe
    3⤵
    PID:536

C:\Users\Admin\AppData\Local\Temp\tmp240590062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240590062.exe
1⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\tmp240590328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240590328.exe
1⤵
PID:2076

C:\Users\Admin\AppData\Local\Temp\tmp240590562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240590562.exe
1⤵
PID:4504

C:\Users\Admin\AppData\Local\Temp\tmp240590531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240590531.exe
1⤵
PID:4552
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:3776

C:\Users\Admin\AppData\Local\Temp\tmp240590750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240590750.exe
1⤵
PID:4128
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1520
- - C:\Users\Admin\AppData\Local\Temp\tmp240591062.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240591062.exe
    3⤵
    PID:3668
- - C:\Users\Admin\AppData\Local\Temp\tmp240590968.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240590968.exe
    3⤵
    PID:4268

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3828
- C:\Users\Admin\AppData\Local\Temp\tmp240596578.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240596578.exe
  2⤵
  PID:1348
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1228
- C:\Users\Admin\AppData\Local\Temp\tmp240591250.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240591250.exe
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  PID:4704

C:\Users\Admin\AppData\Local\Temp\tmp240590796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240590796.exe
1⤵
PID:1368

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3532

C:\Users\Admin\AppData\Local\Temp\tmp240590250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240590250.exe
1⤵
PID:3804
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:3056
- - C:\Users\Admin\AppData\Local\Temp\tmp240600218.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240600218.exe
    3⤵
    PID:4448

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3920

C:\Users\Admin\AppData\Local\Temp\tmp240590046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240590046.exe
1⤵
PID:4608

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\tmp240589671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240589671.exe
1⤵
PID:1492

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:4892

C:\Users\Admin\AppData\Local\Temp\tmp240589406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240589406.exe
1⤵
PID:3376

C:\Users\Admin\AppData\Local\Temp\tmp240588000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240588000.exe
1⤵
PID:1104

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3508

C:\Users\Admin\AppData\Local\Temp\tmp240587781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240587781.exe
1⤵
PID:1344

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:1644

C:\Users\Admin\AppData\Local\Temp\tmp240587203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240587203.exe
1⤵
- Executes dropped EXE
PID:4220

C:\Users\Admin\AppData\Local\Temp\tmp240587156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240587156.exe
1⤵
PID:3388

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:4960

C:\Users\Admin\AppData\Local\Temp\tmp240586937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240586937.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4716

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:1820

C:\Users\Admin\AppData\Local\Temp\tmp240586656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240586656.exe
1⤵
PID:844

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:5100

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:2424
- C:\Users\Admin\AppData\Local\Temp\tmp240596734.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240596734.exe
  2⤵
  PID:1972
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:4640
- C:\Users\Admin\AppData\Local\Temp\tmp240597046.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240597046.exe
  2⤵
  PID:440

C:\Users\Admin\AppData\Local\Temp\tmp240597265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597265.exe
1⤵
PID:1080

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:364
- C:\Users\Admin\AppData\Local\Temp\tmp240597859.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240597859.exe
  2⤵
  PID:2096
- C:\Users\Admin\AppData\Local\Temp\tmp240597828.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240597828.exe
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  PID:1936

C:\Users\Admin\AppData\Local\Temp\tmp240598093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598093.exe
1⤵
PID:3064

C:\Users\Admin\AppData\Local\Temp\tmp240598062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598062.exe
1⤵
PID:4596
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1484

C:\Users\Admin\AppData\Local\Temp\tmp240598390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598390.exe
1⤵
PID:2092

C:\Users\Admin\AppData\Local\Temp\tmp240598406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598406.exe
1⤵
PID:3296

C:\Users\Admin\AppData\Local\Temp\tmp240598687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598687.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2852

C:\Users\Admin\AppData\Local\Temp\tmp240599109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599109.exe
1⤵
PID:3092
- C:\Users\Admin\AppData\Local\Temp\tmp240599187.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240599187.exe
  2⤵
  PID:2420
- C:\Users\Admin\AppData\Local\Temp\tmp240599156.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240599156.exe
  2⤵
  PID:2164

C:\Users\Admin\AppData\Local\Temp\tmp240599390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599390.exe
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3376
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:4944

C:\Users\Admin\AppData\Local\Temp\tmp240599406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599406.exe
1⤵
PID:1900
- C:\Users\Admin\AppData\Local\Temp\tmp240599468.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240599468.exe
  2⤵
  PID:476
- C:\Users\Admin\AppData\Local\Temp\tmp240599500.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240599500.exe
  2⤵
  PID:3380

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:3920

C:\Users\Admin\AppData\Local\Temp\tmp240599890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599890.exe
1⤵
PID:4108
- C:\Users\Admin\AppData\Local\Temp\tmp240600000.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240600000.exe
  2⤵
  PID:4552
- C:\Users\Admin\AppData\Local\Temp\tmp240599937.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240599937.exe
  2⤵
  PID:1432

C:\Users\Admin\AppData\Local\Temp\tmp240600187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600187.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:532
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:3024

C:\Users\Admin\AppData\Local\Temp\tmp240600406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600406.exe
1⤵
PID:4740

C:\Users\Admin\AppData\Local\Temp\tmp240600468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600468.exe
1⤵
PID:900
- C:\Users\Admin\AppData\Local\Temp\tmp240600640.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240600640.exe
  2⤵
  PID:1208
- C:\Users\Admin\AppData\Local\Temp\tmp240600546.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240600546.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  PID:844

C:\Users\Admin\AppData\Local\Temp\tmp240600687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600687.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:4364
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:4356

C:\Users\Admin\AppData\Local\Temp\tmp240600750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600750.exe
1⤵
PID:1964
- C:\Users\Admin\AppData\Local\Temp\tmp240600937.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240600937.exe
  2⤵
  PID:1080
- C:\Users\Admin\AppData\Local\Temp\tmp240600843.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240600843.exe
  2⤵
  PID:3388

C:\Users\Admin\AppData\Local\Temp\tmp240601140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240601140.exe
1⤵
PID:3900

C:\Users\Admin\AppData\Local\Temp\tmp240601234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240601234.exe
1⤵
PID:4620
- C:\Users\Admin\AppData\Local\Temp\tmp240601281.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240601281.exe
  2⤵
  PID:4920
- C:\Users\Admin\AppData\Local\Temp\tmp240609250.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240609250.exe
  2⤵
  PID:4888

C:\Users\Admin\AppData\Local\Temp\tmp240601203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240601203.exe
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:1664
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1992
- - C:\Users\Admin\AppData\Local\Temp\tmp240611890.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240611890.exe
    3⤵
    PID:364
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:2728
    - - C:\Users\Admin\AppData\Local\Temp\tmp240613125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613125.exe
        5⤵
        
        PID:3528
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614984.exe
        7⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621515.exe
        9⤵
        
        PID:204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623656.exe
        9⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626218.exe
        10⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629234.exe
        10⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632578.exe
        11⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645562.exe
        13⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646218.exe
        14⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647312.exe
        14⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648468.exe
        15⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694281.exe
        16⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693718.exe
        16⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649796.exe
        15⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710562.exe
        14⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710578.exe
        14⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639687.exe
        13⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637250.exe
        11⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694437.exe
        10⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693937.exe
        10⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621328.exe
        7⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623671.exe
        8⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624406.exe
        10⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1444
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628171.exe
        12⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630734.exe
        12⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634750.exe
        13⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639406.exe
        13⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645781.exe
        14⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646265.exe
        14⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627984.exe
        10⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632562.exe
        11⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636656.exe
        13⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643187.exe
        13⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646234.exe
        14⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647281.exe
        14⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648484.exe
        15⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650000.exe
        17⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652593.exe
        19⤵
        
        PID:1132
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654609.exe
        21⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656437.exe
        21⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657750.exe
        22⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662515.exe
        24⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664656.exe
        24⤵
        Executes dropped EXE
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669546.exe
        25⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671843.exe
        25⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672875.exe
        26⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673203.exe
        26⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662312.exe
        22⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664718.exe
        23⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4316
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669734.exe
        25⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670484.exe
        25⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672984.exe
        26⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673078.exe
        26⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676312.exe
        27⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675156.exe
        27⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667468.exe
        23⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695390.exe
        22⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695421.exe
        22⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654406.exe
        19⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656531.exe
        20⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659906.exe
        22⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663343.exe
        22⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667515.exe
        23⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672156.exe
        25⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673234.exe
        27⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676296.exe
        27⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678500.exe
        28⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683593.exe
        30⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686296.exe
        30⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688062.exe
        31⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689765.exe
        31⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690687.exe
        32⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691421.exe
        32⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679390.exe
        28⤵
        Executes dropped EXE
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681390.exe
        29⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681562.exe
        29⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672421.exe
        25⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673187.exe
        26⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675953.exe
        26⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676359.exe
        27⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678453.exe
        27⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710718.exe
        24⤵
        
        PID:32
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710812.exe
        25⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710937.exe
        25⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711140.exe
        26⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710640.exe
        24⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670468.exe
        23⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672906.exe
        24⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672000.exe
        24⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659781.exe
        20⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664734.exe
        21⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667609.exe
        21⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652390.exe
        17⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654171.exe
        18⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656453.exe
        18⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659812.exe
        19⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664828.exe
        21⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667546.exe
        21⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672859.exe
        22⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673062.exe
        23⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675093.exe
        23⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672031.exe
        22⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664765.exe
        19⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649687.exe
        15⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636453.exe
        11⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645609.exe
        12⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648546.exe
        14⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649781.exe
        14⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654156.exe
        15⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656609.exe
        17⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657765.exe
        17⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663296.exe
        18⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665953.exe
        18⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668953.exe
        19⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672046.exe
        19⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655484.exe
        15⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657343.exe
        16⤵
        Executes dropped EXE
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659734.exe
        16⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647234.exe
        12⤵
        
        PID:220
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690015.exe
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691437.exe
        12⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691937.exe
        13⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692609.exe
        13⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693765.exe
        14⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693250.exe
        14⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624203.exe
        8⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626203.exe
        9⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695015.exe
        10⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694937.exe
        10⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629281.exe
        9⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4608
    - - C:\Users\Admin\AppData\Local\Temp\tmp240614125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614125.exe
        5⤵
        
        PID:3992
      - C:\Users\Admin\AppData\Local\Temp\tmp240621343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621343.exe
        6⤵
        
        PID:4308
      - C:\Users\Admin\AppData\Local\Temp\tmp240623656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623656.exe
        6⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626234.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3820
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634921.exe
        9⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639578.exe
        9⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645734.exe
        10⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646250.exe
        10⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647328.exe
        11⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710906.exe
        12⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710953.exe
        12⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711031.exe
        13⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711078.exe
        13⤵
        Executes dropped EXE
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648421.exe
        11⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629281.exe
        7⤵
        
        PID:2360
- - C:\Users\Admin\AppData\Local\Temp\tmp240612875.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240612875.exe
    3⤵
    PID:4688
  - - C:\Users\Admin\AppData\Local\Temp\tmp240613468.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240613468.exe
      4⤵
      PID:216
  - - C:\Users\Admin\AppData\Local\Temp\tmp240614171.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240614171.exe
      4⤵
      PID:2200
    - - C:\Users\Admin\AppData\Local\Temp\tmp240618343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618343.exe
        5⤵
        
        PID:4088
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624171.exe
        7⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626171.exe
        7⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632484.exe
        8⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632593.exe
        8⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639515.exe
        9⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647203.exe
        11⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647375.exe
        12⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648437.exe
        12⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654140.exe
        13⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649703.exe
        13⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645906.exe
        11⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644812.exe
        9⤵
        
        PID:4964
    - - C:\Users\Admin\AppData\Local\Temp\tmp240623515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623515.exe
        5⤵
        
        PID:1636

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\tmp240601078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240601078.exe
1⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\tmp240601015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240601015.exe
1⤵
PID:824

C:\Users\Admin\AppData\Local\Temp\tmp240600953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600953.exe
1⤵
PID:4316

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\tmp240600390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600390.exe
1⤵
- Executes dropped EXE
PID:2984

C:\Users\Admin\AppData\Local\Temp\tmp240600343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600343.exe
1⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\tmp240599859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599859.exe
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3804

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:2152

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3444

C:\Users\Admin\AppData\Local\Temp\tmp240599093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599093.exe
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3552

C:\Users\Admin\AppData\Local\Temp\tmp240598718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598718.exe
1⤵
- Executes dropped EXE
PID:4676

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:632
- C:\Users\Admin\AppData\Local\Temp\tmp240711015.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240711015.exe
  2⤵
  PID:2188

C:\Users\Admin\AppData\Local\Temp\tmp240597468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597468.exe
1⤵
PID:4964

C:\Users\Admin\AppData\Local\Temp\tmp240597437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597437.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:4432

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\tmp240597234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597234.exe
1⤵
PID:3632

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:1608
- C:\Users\Admin\AppData\Local\Temp\tmp240678656.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240678656.exe
  2⤵
  PID:4040
- C:\Users\Admin\AppData\Local\Temp\tmp240680562.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240680562.exe
  2⤵
  PID:1604
- - C:\Users\Admin\AppData\Local\Temp\tmp240681578.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240681578.exe
    3⤵
    PID:2012
  - - C:\Users\Admin\AppData\Local\Temp\tmp240684687.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240684687.exe
      4⤵
      PID:4760
  - - C:\Users\Admin\AppData\Local\Temp\tmp240686375.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240686375.exe
      4⤵
      PID:444

C:\Users\Admin\AppData\Local\Temp\tmp240681546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240681546.exe
1⤵
PID:4564
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:4640
- - C:\Users\Admin\AppData\Local\Temp\tmp240685812.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240685812.exe
    3⤵
    PID:3604
- - C:\Users\Admin\AppData\Local\Temp\tmp240686312.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240686312.exe
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies registry class
    PID:3632
  - - C:\Users\Admin\AppData\Local\Temp\tmp240688078.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240688078.exe
      4⤵
      PID:4888
  - - C:\Users\Admin\AppData\Local\Temp\tmp240689781.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240689781.exe
      4⤵
      PID:1960
    - - C:\Users\Admin\AppData\Local\Temp\tmp240690640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690640.exe
        5⤵
        
        PID:3400
    - - C:\Users\Admin\AppData\Local\Temp\tmp240691296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691296.exe
        5⤵
        
        PID:4584

C:\Users\Admin\AppData\Local\Temp\tmp240681515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240681515.exe
1⤵
PID:3636

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3900
- C:\Users\Admin\AppData\Local\Temp\tmp240686531.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240686531.exe
  2⤵
  PID:1712
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:4836
  - - C:\Users\Admin\AppData\Local\Temp\tmp240688734.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240688734.exe
      4⤵
      Executes dropped EXE
      PID:1484
  - - C:\Users\Admin\AppData\Local\Temp\tmp240689921.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240689921.exe
      4⤵
      PID:3828
    - - C:\Users\Admin\AppData\Local\Temp\tmp240691375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691375.exe
        5⤵
        
        PID:2824
    - - C:\Users\Admin\AppData\Local\Temp\tmp240691875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691875.exe
        5⤵
        
        PID:3144
      - C:\Users\Admin\AppData\Local\Temp\tmp240692593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692593.exe
        6⤵
        
        PID:4148
      - C:\Users\Admin\AppData\Local\Temp\tmp240693156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693156.exe
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:1104
- C:\Users\Admin\AppData\Local\Temp\tmp240688093.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240688093.exe
  2⤵
  PID:3416
- - C:\Users\Admin\AppData\Local\Temp\tmp240689906.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240689906.exe
    3⤵
    PID:4436
- - C:\Users\Admin\AppData\Local\Temp\tmp240691312.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240691312.exe
    3⤵
    PID:3728

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:4084
- C:\Users\Admin\AppData\Local\Temp\tmp240692171.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240692171.exe
  2⤵
  PID:3592
- C:\Users\Admin\AppData\Local\Temp\tmp240692468.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240692468.exe
  2⤵
  PID:1864
- - C:\Users\Admin\AppData\Local\Temp\tmp240693671.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240693671.exe
    3⤵
    - Executes dropped EXE
    PID:4100
  - - C:\Users\Admin\AppData\Local\Temp\tmp240694312.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240694312.exe
      4⤵
      PID:4480
  - - C:\Users\Admin\AppData\Local\Temp\tmp240693968.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240693968.exe
      4⤵
      PID:2200
- - C:\Users\Admin\AppData\Local\Temp\tmp240693171.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240693171.exe
    3⤵
    PID:4244

C:\Users\Admin\AppData\Local\Temp\tmp240692406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240692406.exe
1⤵
PID:1228
- C:\Users\Admin\AppData\Local\Temp\tmp240711109.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240711109.exe
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  PID:1972

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3684
- C:\Users\Admin\AppData\Local\Temp\tmp240692734.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240692734.exe
  2⤵
  PID:3668
- C:\Users\Admin\AppData\Local\Temp\tmp240693187.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240693187.exe
  2⤵
  PID:3640
- - C:\Users\Admin\AppData\Local\Temp\tmp240694265.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240694265.exe
    3⤵
    PID:476
  - - C:\Users\Admin\AppData\Local\Temp\tmp240694562.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240694562.exe
      4⤵
      PID:3992
  - - C:\Users\Admin\AppData\Local\Temp\tmp240694406.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240694406.exe
      4⤵
      PID:2780
- - C:\Users\Admin\AppData\Local\Temp\tmp240693703.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240693703.exe
    3⤵
    PID:792

C:\Users\Admin\AppData\Local\Temp\tmp240691843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240691843.exe
1⤵
PID:5020

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3016
- C:\Users\Admin\AppData\Local\Temp\tmp240693421.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240693421.exe
  2⤵
  PID:312
- C:\Users\Admin\AppData\Local\Temp\tmp240693828.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240693828.exe
  2⤵
  PID:4948

C:\Users\Admin\AppData\Local\Temp\tmp240694890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240694890.exe
1⤵
PID:656

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1588
- C:\Users\Admin\AppData\Local\Temp\tmp240695156.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240695156.exe
  2⤵
  PID:1148
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:4008
- C:\Users\Admin\AppData\Local\Temp\tmp240695281.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240695281.exe
  2⤵
  PID:1328
- - C:\Users\Admin\AppData\Local\Temp\tmp240695343.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240695343.exe
    3⤵
    PID:2880
- - C:\Users\Admin\AppData\Local\Temp\tmp240695328.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240695328.exe
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies registry class
    PID:4268

C:\Users\Admin\AppData\Local\Temp\tmp240695078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240695078.exe
1⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\tmp240695687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240695687.exe
1⤵
PID:528
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:2980
- - C:\Users\Admin\AppData\Local\Temp\tmp240705703.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240705703.exe
    3⤵
    PID:4064
  - - C:\Users\Admin\AppData\Local\Temp\tmp240705812.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240705812.exe
      4⤵
      PID:3604
  - - C:\Users\Admin\AppData\Local\Temp\tmp240705875.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240705875.exe
      4⤵
      PID:4344
    - - C:\Users\Admin\AppData\Local\Temp\tmp240705937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705937.exe
        5⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4128
    - - C:\Users\Admin\AppData\Local\Temp\tmp240707796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707796.exe
        5⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4552
      - C:\Users\Admin\AppData\Local\Temp\tmp240710359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710359.exe
        6⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710453.exe
        7⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710484.exe
        7⤵
        
        PID:4304
      - C:\Users\Admin\AppData\Local\Temp\tmp240707953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707953.exe
        6⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710500.exe
        7⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710468.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1344
- - C:\Users\Admin\AppData\Local\Temp\tmp240704593.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240704593.exe
    3⤵
    PID:3060

C:\Users\Admin\AppData\Local\Temp\tmp240695703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240695703.exe
1⤵
PID:1576
- C:\Users\Admin\AppData\Local\Temp\tmp240695750.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240695750.exe
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  PID:536
- C:\Users\Admin\AppData\Local\Temp\tmp240695765.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240695765.exe
  2⤵
  PID:1308
- - C:\Users\Admin\AppData\Local\Temp\tmp240702203.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240702203.exe
    3⤵
    PID:900
- - C:\Users\Admin\AppData\Local\Temp\tmp240704375.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240704375.exe
    3⤵
    PID:1372
  - - C:\Users\Admin\AppData\Local\Temp\tmp240705687.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240705687.exe
      4⤵
      Executes dropped EXE
      PID:4760
  - - C:\Users\Admin\AppData\Local\Temp\tmp240704546.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240704546.exe
      4⤵
      PID:5112
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:3000
      - C:\Users\Admin\AppData\Local\Temp\tmp240707953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707953.exe
        6⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710406.exe
        7⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710421.exe
        7⤵
        Executes dropped EXE
        
        PID:4124

C:\Users\Admin\AppData\Local\Temp\tmp240695062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240695062.exe
1⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\tmp240694843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240694843.exe
1⤵
PID:3184

C:\Users\Admin\AppData\Local\Temp\tmp240694812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240694812.exe
1⤵
PID:4196

C:\Users\Admin\AppData\Local\Temp\tmp240694687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240694687.exe
1⤵
PID:2988

C:\Users\Admin\AppData\Local\Temp\tmp240694671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240694671.exe
1⤵
PID:3708

C:\Users\Admin\AppData\Local\Temp\tmp240694625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240694625.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4308

C:\Users\Admin\AppData\Local\Temp\tmp240694531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240694531.exe
1⤵
PID:4424

C:\Users\Admin\AppData\Local\Temp\tmp240694343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240694343.exe
1⤵
PID:2440

C:\Users\Admin\AppData\Local\Temp\tmp240707875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240707875.exe
1⤵
PID:996
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  PID:3952

C:\Users\Admin\AppData\Local\Temp\tmp240710703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710703.exe
1⤵
PID:3116
- C:\Users\Admin\AppData\Local\Temp\tmp240710750.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240710750.exe
  2⤵
  PID:4860
- C:\Users\Admin\AppData\Local\Temp\tmp240710859.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240710859.exe
  2⤵
  PID:2472

C:\Users\Admin\AppData\Local\Temp\tmp240710671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240710671.exe
1⤵
PID:1348

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240568093.exe

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568093.exe

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568140.exe

Filesize
3.6MB

MD5
71de495812cce27faf1d2b3b3b13c28a

SHA1
075a777f54c8305d73ef985fc659968478793d11

SHA256
edeba3dfcdc364ecb9e6f2c3a9971c8a4d5b2940af372be1caa966b7b4c53563

SHA512
8953c4077947137594042d28452dafb97c8a82533a8b33ee3340f50053aa77b88e7c6f1256649d6448940c71a4663a0aa2829ac44af4d0f0b3b825cc0247e993

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568140.exe

Filesize
3.6MB

MD5
71de495812cce27faf1d2b3b3b13c28a

SHA1
075a777f54c8305d73ef985fc659968478793d11

SHA256
edeba3dfcdc364ecb9e6f2c3a9971c8a4d5b2940af372be1caa966b7b4c53563

SHA512
8953c4077947137594042d28452dafb97c8a82533a8b33ee3340f50053aa77b88e7c6f1256649d6448940c71a4663a0aa2829ac44af4d0f0b3b825cc0247e993

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568312.exe

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568312.exe

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568453.exe

Filesize
1.9MB

MD5
71a98960ade8f3f58bb3aff7673d58f9

SHA1
25518d2cd0529cd8521f51f7ef08d6788988cbdd

SHA256
a2b225bbb3644c6c68c6fbc558d55cc2855d442e4c750bfc93a261f5cc2e3aa0

SHA512
4e8076122963872525b03645b6b876a3201e8f16822a9a55a13006d314c59f55276c49ac7138591e75d4ffc2dd325d575cbfa00b2f7ec4e7cac896df8fe912ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568453.exe

Filesize
1.9MB

MD5
71a98960ade8f3f58bb3aff7673d58f9

SHA1
25518d2cd0529cd8521f51f7ef08d6788988cbdd

SHA256
a2b225bbb3644c6c68c6fbc558d55cc2855d442e4c750bfc93a261f5cc2e3aa0

SHA512
4e8076122963872525b03645b6b876a3201e8f16822a9a55a13006d314c59f55276c49ac7138591e75d4ffc2dd325d575cbfa00b2f7ec4e7cac896df8fe912ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568609.exe

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568609.exe

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568734.exe

Filesize
136KB

MD5
9aeb06a81883647698958706907b1c8b

SHA1
1ed819748dd1683826910789ce3c0e331ab636b9

SHA256
2739d7b4fc7ec6f5ccbed17d4c9f57c8905147bdc926a1995e1f9c4f258d55cc

SHA512
d388602a1e322789dda56df6776d570972acce420e45044699f7178115f8c20f32f9723a63657c58771df3ef54afa3193e817679b91cc24fe80d94c78ad09bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568734.exe

Filesize
136KB

MD5
9aeb06a81883647698958706907b1c8b

SHA1
1ed819748dd1683826910789ce3c0e331ab636b9

SHA256
2739d7b4fc7ec6f5ccbed17d4c9f57c8905147bdc926a1995e1f9c4f258d55cc

SHA512
d388602a1e322789dda56df6776d570972acce420e45044699f7178115f8c20f32f9723a63657c58771df3ef54afa3193e817679b91cc24fe80d94c78ad09bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240575000.exe

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240575000.exe

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240575437.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240575781.exe

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240575781.exe

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240577531.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240577718.exe

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240577718.exe

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240579343.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240579625.exe

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240579625.exe

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240580671.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240580937.exe

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240580937.exe

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240582234.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240582484.exe

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240582484.exe

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240582578.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240582875.exe

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240582875.exe

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240582937.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240583265.exe

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240583265.exe

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240583296.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240583671.exe

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240583671.exe

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.7MB

MD5
e0c95e4c20d8db8730a1ac1c638aa4cc

SHA1
23eac8fcca391adbcdb1f3b8ac64a20c9116f16e

SHA256
b7d3cbc108ee599b0c5a0809dcb6e1c344a203ba962ac21e338fa807ccb18b5e

SHA512
64bbe3b1f3ca91854668b1761f64d66d8e53bac9dc7ed7e350466d518ee832649b1ef1e5dc8232d559117509587fb06f4987cb1ea68dd5c04e8dfc3406fd8408

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.9MB

MD5
d8654b82f47b0c2503be1f744d987afe

SHA1
988e01afd06bec9789db5b17f5f3727e101a8406

SHA256
d5619a293f139b490d62f6433f497669c33aa19d871ae7644db59791451f78e1

SHA512
d7f1c252896b16c73ffeec648a3524df1b6c344b8a33dd9d9279b9672ee51ff7ab4c6a72be8208e4ed8ae632ab6b1262a26ad0cac14b9b2de61fbe2412d89bc2

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.9MB

MD5
d8654b82f47b0c2503be1f744d987afe

SHA1
988e01afd06bec9789db5b17f5f3727e101a8406

SHA256
d5619a293f139b490d62f6433f497669c33aa19d871ae7644db59791451f78e1

SHA512
d7f1c252896b16c73ffeec648a3524df1b6c344b8a33dd9d9279b9672ee51ff7ab4c6a72be8208e4ed8ae632ab6b1262a26ad0cac14b9b2de61fbe2412d89bc2

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.9MB

MD5
d8654b82f47b0c2503be1f744d987afe

SHA1
988e01afd06bec9789db5b17f5f3727e101a8406

SHA256
d5619a293f139b490d62f6433f497669c33aa19d871ae7644db59791451f78e1

SHA512
d7f1c252896b16c73ffeec648a3524df1b6c344b8a33dd9d9279b9672ee51ff7ab4c6a72be8208e4ed8ae632ab6b1262a26ad0cac14b9b2de61fbe2412d89bc2

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.9MB

MD5
d8654b82f47b0c2503be1f744d987afe

SHA1
988e01afd06bec9789db5b17f5f3727e101a8406

SHA256
d5619a293f139b490d62f6433f497669c33aa19d871ae7644db59791451f78e1

SHA512
d7f1c252896b16c73ffeec648a3524df1b6c344b8a33dd9d9279b9672ee51ff7ab4c6a72be8208e4ed8ae632ab6b1262a26ad0cac14b9b2de61fbe2412d89bc2

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.9MB

MD5
d8654b82f47b0c2503be1f744d987afe

SHA1
988e01afd06bec9789db5b17f5f3727e101a8406

SHA256
d5619a293f139b490d62f6433f497669c33aa19d871ae7644db59791451f78e1

SHA512
d7f1c252896b16c73ffeec648a3524df1b6c344b8a33dd9d9279b9672ee51ff7ab4c6a72be8208e4ed8ae632ab6b1262a26ad0cac14b9b2de61fbe2412d89bc2

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.9MB

MD5
d8654b82f47b0c2503be1f744d987afe

SHA1
988e01afd06bec9789db5b17f5f3727e101a8406

SHA256
d5619a293f139b490d62f6433f497669c33aa19d871ae7644db59791451f78e1

SHA512
d7f1c252896b16c73ffeec648a3524df1b6c344b8a33dd9d9279b9672ee51ff7ab4c6a72be8208e4ed8ae632ab6b1262a26ad0cac14b9b2de61fbe2412d89bc2

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.9MB

MD5
d8654b82f47b0c2503be1f744d987afe

SHA1
988e01afd06bec9789db5b17f5f3727e101a8406

SHA256
d5619a293f139b490d62f6433f497669c33aa19d871ae7644db59791451f78e1

SHA512
d7f1c252896b16c73ffeec648a3524df1b6c344b8a33dd9d9279b9672ee51ff7ab4c6a72be8208e4ed8ae632ab6b1262a26ad0cac14b9b2de61fbe2412d89bc2

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.9MB

MD5
d8654b82f47b0c2503be1f744d987afe

SHA1
988e01afd06bec9789db5b17f5f3727e101a8406

SHA256
d5619a293f139b490d62f6433f497669c33aa19d871ae7644db59791451f78e1

SHA512
d7f1c252896b16c73ffeec648a3524df1b6c344b8a33dd9d9279b9672ee51ff7ab4c6a72be8208e4ed8ae632ab6b1262a26ad0cac14b9b2de61fbe2412d89bc2

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.9MB

MD5
d8654b82f47b0c2503be1f744d987afe

SHA1
988e01afd06bec9789db5b17f5f3727e101a8406

SHA256
d5619a293f139b490d62f6433f497669c33aa19d871ae7644db59791451f78e1

SHA512
d7f1c252896b16c73ffeec648a3524df1b6c344b8a33dd9d9279b9672ee51ff7ab4c6a72be8208e4ed8ae632ab6b1262a26ad0cac14b9b2de61fbe2412d89bc2

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.9MB

MD5
d8654b82f47b0c2503be1f744d987afe

SHA1
988e01afd06bec9789db5b17f5f3727e101a8406

SHA256
d5619a293f139b490d62f6433f497669c33aa19d871ae7644db59791451f78e1

SHA512
d7f1c252896b16c73ffeec648a3524df1b6c344b8a33dd9d9279b9672ee51ff7ab4c6a72be8208e4ed8ae632ab6b1262a26ad0cac14b9b2de61fbe2412d89bc2

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
memory/364-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/368-198-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/368-190-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/632-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1148-154-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/1212-251-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1212-248-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1304-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1440-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1484-282-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1484-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1520-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1528-145-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1644-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1820-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1840-229-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1900-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2152-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2200-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2396-246-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2424-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2472-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2852-187-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2852-179-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2984-255-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3092-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3160-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3192-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3196-167-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3400-149-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3400-152-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3428-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3436-209-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3436-201-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3444-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3508-278-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3532-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3652-178-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3652-168-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3700-284-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3700-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3776-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3828-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3828-303-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3920-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3988-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4052-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4108-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4140-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4308-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4332-239-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4352-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4408-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4432-269-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4432-270-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4640-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4788-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4892-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4944-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4944-219-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4960-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4996-137-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5092-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5100-259-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download