31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24

Analysis

max time kernel
150s
max time network
164s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24.exe
Size

3.2MB
MD5

ffa55e199fd9037e07d6d3eb3181db6c
SHA1

6c9b3cc94cd2a9bc6a7778845b1c71bec7d002e3
SHA256

31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24
SHA512

6213532c8da6abc861b05c32c6e9f613985076cd8df3b2763a2599ec5f514431f0559b69fb585b0b2f10e402b391358ce08557d4be6d4322b256d32928708003
SSDEEP

24576:cDyTFtjEDyTFtjTDyTFtjBDyTFtjJDyTFtjcDyTFtjEDyTFtjTDyTFtjBDyTFtj:1txtItqtCt5txtItqt

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1496	tmp240579421.exe
2436	tmp240579500.exe
3844	notpad.exe
320	tmp240595515.exe
2020	tmp240582109.exe
4776	notpad.exe
4484	tmp240582765.exe
2516	tmp240583140.exe
4984	notpad.exe
4592	tmp240583734.exe
3160	tmp240583890.exe
2272	tmp240584031.exe
4536	wmiprvse.exe
3532	tmp240609375.exe
5112	tmp240584296.exe
4320	tmp240584406.exe
2744	notpad.exe
3380	tmp240584875.exe
3308	tmp240587078.exe
4380	tmp240609671.exe
4820	notpad.exe
4716	notpad.exe
3656	tmp240610640.exe
5084	tmp240599890.exe
4444	tmp240589062.exe
4524	tmp240610250.exe
2664	tmp240589234.exe
4404	tmp240589812.exe
1232	tmp240600031.exe
1284	tmp240600437.exe
4532	tmp240590250.exe
2820	tmp240590421.exe
2768	notpad.exe
4368	notpad.exe
4492	tmp240600718.exe
4076	tmp240591515.exe
920	notpad.exe
2596	tmp240601156.exe
3912	tmp240592109.exe
4208	tmp240593500.exe
1372	tmp240593546.exe
4280	tmp240593640.exe
3748	tmp240593734.exe
2816	tmp240593781.exe
4612	notpad.exe
1408	tmp240601468.exe
4604	tmp240594000.exe
524	tmp240594046.exe
5008	tmp240594234.exe
4892	tmp240594109.exe
2128	tmp240602093.exe
1592	tmp240594578.exe
3800	notpad.exe
1524	tmp240594750.exe
2712	tmp240602156.exe
2640	tmp240594859.exe
3776	tmp240594968.exe
4580	tmp240595093.exe
3984	tmp240595218.exe
3392	tmp240595296.exe
3980	notpad.exe
312	notpad.exe
5100	tmp240595406.exe
320	tmp240608375.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1592-138-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0002000000022e00-142.dat	upx
behavioral2/memory/3844-151-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0001000000022dfe-147.dat	upx
behavioral2/memory/3844-143-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0002000000022e00-141.dat	upx
behavioral2/files/0x0002000000022e00-153.dat	upx
behavioral2/memory/4776-162-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0001000000022dfe-159.dat	upx
behavioral2/memory/4776-154-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022e0b-165.dat	upx
behavioral2/files/0x0003000000022e0b-164.dat	upx
behavioral2/files/0x0001000000022dfe-169.dat	upx
behavioral2/files/0x0003000000022e0e-172.dat	upx
behavioral2/memory/4984-174-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3160-184-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022e0b-180.dat	upx
behavioral2/files/0x0001000000022e14-191.dat	upx
behavioral2/memory/4536-192-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0001000000022e14-190.dat	upx
behavioral2/files/0x0001000000022dfe-188.dat	upx
behavioral2/memory/3160-175-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022e0e-173.dat	upx
behavioral2/memory/4320-193-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022e0b-195.dat	upx
behavioral2/memory/2744-196-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4320-207-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0001000000022dfe-203.dat	upx
behavioral2/files/0x0003000000022e0b-209.dat	upx
behavioral2/files/0x0001000000022e19-211.dat	upx
behavioral2/memory/2744-215-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0001000000022e1c-221.dat	upx
behavioral2/files/0x0001000000022e1c-220.dat	upx
behavioral2/files/0x0001000000022dfe-218.dat	upx
behavioral2/memory/5084-224-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5084-236-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022e0b-238.dat	upx
behavioral2/files/0x0001000000022e25-245.dat	upx
behavioral2/memory/4532-249-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1232-246-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0001000000022dfe-243.dat	upx
behavioral2/memory/4716-231-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4368-253-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4716-226-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4076-254-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4820-222-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0001000000022e19-213.dat	upx
behavioral2/memory/920-256-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4612-270-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4612-277-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2128-286-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2640-292-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3980-299-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/320-300-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1236-301-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3984-297-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3800-289-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2128-288-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3800-287-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4892-282-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1408-276-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1372-271-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1372-269-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4208-268-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 33 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240584296.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240584875.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240599515.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240600000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240610218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240700328.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240608375.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240594750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240599078.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240624515.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240659718.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240594000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240598625.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240602218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240595406.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240600968.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240686468.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240582765.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240610640.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240600718.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240579421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240583734.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240609375.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240672468.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240600437.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240611156.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240623078.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240602765.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240621921.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240709671.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240601156.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240601468.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240625609.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240609375.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240621921.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240623078.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240610640.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240600437.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240594000.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240599078.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240623078.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240625609.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240600437.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240599515.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240602765.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240609375.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240595406.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240600000.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240602218.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240672468.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240583734.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240584296.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240594750.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240595406.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240709671.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240625609.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240659718.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240672468.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240709671.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240584875.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240600718.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240600968.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240623078.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240718062.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240611156.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240594750.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240602765.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240609375.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240611156.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240584875.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240610640.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240601156.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240598625.exe
File created	C:\Windows\SysWOW64\fsb.tmp	tmp240579421.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240579421.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240595515.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240582765.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240700328.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240582765.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240600000.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240600000.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240709671.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240610218.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240621921.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240686468.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240700328.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240579421.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240584875.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240600437.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240600718.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240582765.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240594000.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240610218.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240686468.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240601156.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240601156.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240599515.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3872	2436	WerFault.exe	30

Modifies registry class 33 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240595515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240583734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240610640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240624515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240579421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240584875.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240709671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240598625.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240623078.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240625609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240594000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240594750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240602218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240621921.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240600718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240601468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240609375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240611156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240686468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240600437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240601156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240595406.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240600968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240602765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240659718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240582765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240600000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240672468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240700328.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240584296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240599078.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240599515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240610218.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 1496	1592	31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24.exe	32
PID 1592 wrote to memory of 1496	1592	31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24.exe	32
PID 1592 wrote to memory of 1496	1592	31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24.exe	32
PID 1592 wrote to memory of 2436	1592	31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24.exe	30
PID 1592 wrote to memory of 2436	1592	31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24.exe	30
PID 1592 wrote to memory of 2436	1592	31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24.exe	30
PID 1496 wrote to memory of 3844	1496	tmp240579421.exe	89
PID 1496 wrote to memory of 3844	1496	tmp240579421.exe	89
PID 1496 wrote to memory of 3844	1496	tmp240579421.exe	89
PID 3844 wrote to memory of 320	3844	notpad.exe	135
PID 3844 wrote to memory of 320	3844	notpad.exe	135
PID 3844 wrote to memory of 320	3844	notpad.exe	135
PID 3844 wrote to memory of 2020	3844	notpad.exe	87
PID 3844 wrote to memory of 2020	3844	notpad.exe	87
PID 3844 wrote to memory of 2020	3844	notpad.exe	87
PID 320 wrote to memory of 4776	320	tmp240608375.exe	88
PID 320 wrote to memory of 4776	320	tmp240608375.exe	88
PID 320 wrote to memory of 4776	320	tmp240608375.exe	88
PID 4776 wrote to memory of 4484	4776	notpad.exe	90
PID 4776 wrote to memory of 4484	4776	notpad.exe	90
PID 4776 wrote to memory of 4484	4776	notpad.exe	90
PID 4776 wrote to memory of 2516	4776	notpad.exe	91
PID 4776 wrote to memory of 2516	4776	notpad.exe	91
PID 4776 wrote to memory of 2516	4776	notpad.exe	91
PID 4484 wrote to memory of 4984	4484	tmp240582765.exe	93
PID 4484 wrote to memory of 4984	4484	tmp240582765.exe	93
PID 4484 wrote to memory of 4984	4484	tmp240582765.exe	93
PID 4984 wrote to memory of 4592	4984	notpad.exe	92
PID 4984 wrote to memory of 4592	4984	notpad.exe	92
PID 4984 wrote to memory of 4592	4984	notpad.exe	92
PID 4984 wrote to memory of 3160	4984	notpad.exe	99
PID 4984 wrote to memory of 3160	4984	notpad.exe	99
PID 4984 wrote to memory of 3160	4984	notpad.exe	99
PID 3160 wrote to memory of 2272	3160	tmp240583890.exe	94
PID 3160 wrote to memory of 2272	3160	tmp240583890.exe	94
PID 3160 wrote to memory of 2272	3160	tmp240583890.exe	94
PID 4592 wrote to memory of 4536	4592	tmp240583734.exe	225
PID 4592 wrote to memory of 4536	4592	tmp240583734.exe	225
PID 4592 wrote to memory of 4536	4592	tmp240583734.exe	225
PID 3160 wrote to memory of 3532	3160	tmp240583890.exe	242
PID 3160 wrote to memory of 3532	3160	tmp240583890.exe	242
PID 3160 wrote to memory of 3532	3160	tmp240583890.exe	242
PID 4536 wrote to memory of 5112	4536	wmiprvse.exe	96
PID 4536 wrote to memory of 5112	4536	wmiprvse.exe	96
PID 4536 wrote to memory of 5112	4536	wmiprvse.exe	96
PID 4536 wrote to memory of 4320	4536	wmiprvse.exe	97
PID 4536 wrote to memory of 4320	4536	wmiprvse.exe	97
PID 4536 wrote to memory of 4320	4536	wmiprvse.exe	97
PID 5112 wrote to memory of 2744	5112	tmp240584296.exe	100
PID 5112 wrote to memory of 2744	5112	tmp240584296.exe	100
PID 5112 wrote to memory of 2744	5112	tmp240584296.exe	100
PID 4320 wrote to memory of 3380	4320	tmp240584406.exe	120
PID 4320 wrote to memory of 3380	4320	tmp240584406.exe	120
PID 4320 wrote to memory of 3380	4320	tmp240584406.exe	120
PID 2744 wrote to memory of 3308	2744	notpad.exe	103
PID 2744 wrote to memory of 3308	2744	notpad.exe	103
PID 2744 wrote to memory of 3308	2744	notpad.exe	103
PID 4320 wrote to memory of 4380	4320	tmp240584406.exe	248
PID 4320 wrote to memory of 4380	4320	tmp240584406.exe	248
PID 4320 wrote to memory of 4380	4320	tmp240584406.exe	248
PID 3380 wrote to memory of 4820	3380	tmp240584875.exe	101
PID 3380 wrote to memory of 4820	3380	tmp240584875.exe	101
PID 3380 wrote to memory of 4820	3380	tmp240584875.exe	101
PID 2744 wrote to memory of 4716	2744	notpad.exe	256

C:\Users\Admin\AppData\Local\Temp\31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24.exe
"C:\Users\Admin\AppData\Local\Temp\31016fa552296c59009b533bd6ed74eb66a718367780c6aafa4abd5a151a4a24.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Users\Admin\AppData\Local\Temp\tmp240579500.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240579500.exe
  2⤵
  - Executes dropped EXE
  PID:2436
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2436 -s 228
    3⤵
    - Program crash
    PID:3872
- C:\Users\Admin\AppData\Local\Temp\tmp240579421.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240579421.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2436 -ip 2436
1⤵
PID:3032

C:\Users\Admin\AppData\Local\Temp\tmp240582000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240582000.exe
1⤵
PID:320
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4776
- - C:\Users\Admin\AppData\Local\Temp\tmp240582765.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240582765.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4984
    - - C:\Users\Admin\AppData\Local\Temp\tmp240583890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240583890.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3160
- - C:\Users\Admin\AppData\Local\Temp\tmp240583140.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240583140.exe
    3⤵
    - Executes dropped EXE
    PID:2516

C:\Users\Admin\AppData\Local\Temp\tmp240582109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240582109.exe
1⤵
- Executes dropped EXE
PID:2020

C:\Users\Admin\AppData\Local\Temp\tmp240583734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240583734.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4592
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:4536
- - C:\Users\Admin\AppData\Local\Temp\tmp240584296.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240584296.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Users\Admin\AppData\Local\Temp\tmp240587078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587078.exe
        5⤵
        Executes dropped EXE
        
        PID:3308
    - - C:\Users\Admin\AppData\Local\Temp\tmp240588359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588359.exe
        5⤵
        
        PID:4716
- - C:\Users\Admin\AppData\Local\Temp\tmp240584406.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240584406.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4320
  - - C:\Users\Admin\AppData\Local\Temp\tmp240588281.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240588281.exe
      4⤵
      PID:4380
  - - C:\Users\Admin\AppData\Local\Temp\tmp240584875.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240584875.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3380

C:\Users\Admin\AppData\Local\Temp\tmp240584031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240584031.exe
1⤵
- Executes dropped EXE
PID:2272

C:\Users\Admin\AppData\Local\Temp\tmp240584265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240584265.exe
1⤵
PID:3532

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:4820
- C:\Users\Admin\AppData\Local\Temp\tmp240589000.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240589000.exe
  2⤵
  PID:5084
- - C:\Users\Admin\AppData\Local\Temp\tmp240589812.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240589812.exe
    3⤵
    - Executes dropped EXE
    PID:4404
- - C:\Users\Admin\AppData\Local\Temp\tmp240589234.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240589234.exe
    3⤵
    - Executes dropped EXE
    PID:2664
- C:\Users\Admin\AppData\Local\Temp\tmp240588703.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240588703.exe
  2⤵
  PID:3656

C:\Users\Admin\AppData\Local\Temp\tmp240589062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240589062.exe
1⤵
- Executes dropped EXE
PID:4444

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\tmp240590093.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240590093.exe
  2⤵
  PID:1284
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    PID:4368
  - - C:\Users\Admin\AppData\Local\Temp\tmp240591453.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240591453.exe
      4⤵
      PID:4492
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        
        PID:920
      - C:\Users\Admin\AppData\Local\Temp\tmp240592109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592109.exe
        6⤵
        Executes dropped EXE
        
        PID:3912
      - C:\Users\Admin\AppData\Local\Temp\tmp240593546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593546.exe
        6⤵
        Executes dropped EXE
        
        PID:1372
    - - C:\Users\Admin\AppData\Local\Temp\tmp240600796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600796.exe
        5⤵
        
        PID:4004
    - - C:\Users\Admin\AppData\Local\Temp\tmp240600843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600843.exe
        5⤵
        
        PID:1812
  - - C:\Users\Admin\AppData\Local\Temp\tmp240591515.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240591515.exe
      4⤵
      Executes dropped EXE
      PID:4076
    - - C:\Users\Admin\AppData\Local\Temp\tmp240593500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593500.exe
        5⤵
        Executes dropped EXE
        
        PID:4208
      - C:\Users\Admin\AppData\Local\Temp\tmp240593781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593781.exe
        6⤵
        Executes dropped EXE
        
        PID:2816
      - C:\Users\Admin\AppData\Local\Temp\tmp240593640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593640.exe
        6⤵
        Executes dropped EXE
        
        PID:4280
    - - C:\Users\Admin\AppData\Local\Temp\tmp240591765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591765.exe
        5⤵
        
        PID:2596
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        
        PID:4612
- C:\Users\Admin\AppData\Local\Temp\tmp240590250.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240590250.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- - C:\Users\Admin\AppData\Local\Temp\tmp240590421.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240590421.exe
    3⤵
    - Executes dropped EXE
    PID:2820
- - C:\Users\Admin\AppData\Local\Temp\tmp240590640.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240590640.exe
    3⤵
    PID:2768
- C:\Users\Admin\AppData\Local\Temp\tmp240600265.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240600265.exe
  2⤵
  PID:4192
- C:\Users\Admin\AppData\Local\Temp\tmp240600312.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240600312.exe
  2⤵
  PID:2100

C:\Users\Admin\AppData\Local\Temp\tmp240589578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240589578.exe
1⤵
PID:4524

C:\Users\Admin\AppData\Local\Temp\tmp240594234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240594234.exe
1⤵
- Executes dropped EXE
PID:5008

C:\Users\Admin\AppData\Local\Temp\tmp240594109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240594109.exe
1⤵
- Executes dropped EXE
PID:4892
- C:\Users\Admin\AppData\Local\Temp\tmp240594734.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240594734.exe
  2⤵
  PID:3800
- C:\Users\Admin\AppData\Local\Temp\tmp240594578.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240594578.exe
  2⤵
  - Executes dropped EXE
  PID:1592

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:2128
- C:\Users\Admin\AppData\Local\Temp\tmp240594859.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240594859.exe
  2⤵
  - Executes dropped EXE
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\tmp240595093.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240595093.exe
    3⤵
    - Executes dropped EXE
    PID:4580
- - C:\Users\Admin\AppData\Local\Temp\tmp240595218.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240595218.exe
    3⤵
    - Executes dropped EXE
    PID:3984
  - - C:\Users\Admin\AppData\Local\Temp\tmp240595296.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240595296.exe
      4⤵
      Executes dropped EXE
      PID:3392
  - - C:\Users\Admin\AppData\Local\Temp\tmp240595390.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240595390.exe
      4⤵
      PID:312
- C:\Users\Admin\AppData\Local\Temp\tmp240594750.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240594750.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  PID:1524

C:\Users\Admin\AppData\Local\Temp\tmp240594843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240594843.exe
1⤵
PID:2712

C:\Users\Admin\AppData\Local\Temp\tmp240594968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240594968.exe
1⤵
- Executes dropped EXE
PID:3776

C:\Users\Admin\AppData\Local\Temp\tmp240595406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240595406.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:5100
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:3856
- - C:\Users\Admin\AppData\Local\Temp\tmp240598640.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240598640.exe
    3⤵
    PID:4080
  - - C:\Users\Admin\AppData\Local\Temp\tmp240598937.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240598937.exe
      4⤵
      PID:4948
  - - C:\Users\Admin\AppData\Local\Temp\tmp240599000.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240599000.exe
      4⤵
      PID:4688

C:\Users\Admin\AppData\Local\Temp\tmp240595515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240595515.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies registry class
PID:320
- C:\Users\Admin\AppData\Local\Temp\tmp240595718.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240595718.exe
  2⤵
  PID:1236
- - C:\Users\Admin\AppData\Local\Temp\tmp240595921.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240595921.exe
    3⤵
    PID:944
- - C:\Users\Admin\AppData\Local\Temp\tmp240595781.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240595781.exe
    3⤵
    PID:3124
- C:\Users\Admin\AppData\Local\Temp\tmp240595625.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240595625.exe
  2⤵
  PID:3828

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:3980

C:\Users\Admin\AppData\Local\Temp\tmp240594046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240594046.exe
1⤵
- Executes dropped EXE
PID:524

C:\Users\Admin\AppData\Local\Temp\tmp240594000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240594000.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4604

C:\Users\Admin\AppData\Local\Temp\tmp240593812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240593812.exe
1⤵
PID:1408

C:\Users\Admin\AppData\Local\Temp\tmp240593734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240593734.exe
1⤵
- Executes dropped EXE
PID:3748

C:\Users\Admin\AppData\Local\Temp\tmp240598625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598625.exe
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3764
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:4216

C:\Users\Admin\AppData\Local\Temp\tmp240599078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599078.exe
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:1816
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:4608

C:\Users\Admin\AppData\Local\Temp\tmp240599125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599125.exe
1⤵
PID:4164
- C:\Users\Admin\AppData\Local\Temp\tmp240599296.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240599296.exe
  2⤵
  PID:2216
- C:\Users\Admin\AppData\Local\Temp\tmp240599187.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240599187.exe
  2⤵
  PID:2352

C:\Users\Admin\AppData\Local\Temp\tmp240599359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599359.exe
1⤵
PID:5032

C:\Users\Admin\AppData\Local\Temp\tmp240599625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599625.exe
1⤵
PID:1884

C:\Users\Admin\AppData\Local\Temp\tmp240599640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599640.exe
1⤵
PID:3064
- C:\Users\Admin\AppData\Local\Temp\tmp240599796.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240599796.exe
  2⤵
  PID:3472
- C:\Users\Admin\AppData\Local\Temp\tmp240599812.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240599812.exe
  2⤵
  PID:768

C:\Users\Admin\AppData\Local\Temp\tmp240599906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599906.exe
1⤵
PID:4296
- C:\Users\Admin\AppData\Local\Temp\tmp240599953.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240599953.exe
  2⤵
  PID:2732
- C:\Users\Admin\AppData\Local\Temp\tmp240599968.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240599968.exe
  2⤵
  PID:3656

C:\Users\Admin\AppData\Local\Temp\tmp240600000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600000.exe
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:492
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  PID:2768
- - C:\Users\Admin\AppData\Local\Temp\tmp240600531.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240600531.exe
    3⤵
    PID:5016
  - - C:\Users\Admin\AppData\Local\Temp\tmp240600671.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240600671.exe
      4⤵
      PID:428
  - - C:\Users\Admin\AppData\Local\Temp\tmp240600718.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240600718.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in System32 directory
      Modifies registry class
      PID:4492
- - C:\Users\Admin\AppData\Local\Temp\tmp240600390.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240600390.exe
    3⤵
    PID:3756

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3016
- C:\Users\Admin\AppData\Local\Temp\tmp240600031.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240600031.exe
  2⤵
  - Executes dropped EXE
  PID:1232

C:\Users\Admin\AppData\Local\Temp\tmp240599890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599890.exe
1⤵
- Executes dropped EXE
PID:5084

C:\Users\Admin\AppData\Local\Temp\tmp240600515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600515.exe
1⤵
PID:4232
- C:\Users\Admin\AppData\Local\Temp\tmp240600734.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240600734.exe
  2⤵
  PID:1796
- C:\Users\Admin\AppData\Local\Temp\tmp240600656.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240600656.exe
  2⤵
  PID:2620

C:\Users\Admin\AppData\Local\Temp\tmp240600437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600437.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:1284
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:3156
- - C:\Users\Admin\AppData\Local\Temp\tmp240600968.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240600968.exe
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies registry class
    PID:1288
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1520
- - C:\Users\Admin\AppData\Local\Temp\tmp240601000.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240601000.exe
    3⤵
    PID:4072
  - - C:\Users\Admin\AppData\Local\Temp\tmp240601140.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240601140.exe
      4⤵
      PID:4900
  - - C:\Users\Admin\AppData\Local\Temp\tmp240601156.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240601156.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in System32 directory
      Modifies registry class
      PID:2596
    - - C:\Users\Admin\AppData\Local\Temp\tmp240601218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601218.exe
        5⤵
        
        PID:2524
    - - C:\Users\Admin\AppData\Local\Temp\tmp240601265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601265.exe
        5⤵
        
        PID:3928
      - C:\Users\Admin\AppData\Local\Temp\tmp240601296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601296.exe
        6⤵
        
        PID:4472
      - C:\Users\Admin\AppData\Local\Temp\tmp240601343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601343.exe
        6⤵
        
        PID:4812

C:\Users\Admin\AppData\Local\Temp\tmp240600953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600953.exe
1⤵
PID:2284

C:\Users\Admin\AppData\Local\Temp\tmp240600890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600890.exe
1⤵
PID:4512

C:\Users\Admin\AppData\Local\Temp\tmp240601468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240601468.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:1408
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  PID:3800
- - C:\Users\Admin\AppData\Local\Temp\tmp240602218.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240602218.exe
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies registry class
    PID:2760
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      PID:312
    - - C:\Users\Admin\AppData\Local\Temp\tmp240602765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602765.exe
        5⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3828
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609375.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610250.exe
        9⤵
        Executes dropped EXE
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610328.exe
        9⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610546.exe
        10⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610640.exe
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610828.exe
        11⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610968.exe
        12⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611109.exe
        13⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611140.exe
        13⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611265.exe
        14⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611359.exe
        14⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611546.exe
        15⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621593.exe
        15⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621859.exe
        16⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621968.exe
        16⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622078.exe
        17⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622140.exe
        17⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610796.exe
        11⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609437.exe
        7⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609703.exe
        8⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609734.exe
        8⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609968.exe
        9⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610015.exe
        9⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610078.exe
        10⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610125.exe
        10⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610218.exe
        11⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611156.exe
        13⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621937.exe
        15⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622000.exe
        15⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622296.exe
        16⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622359.exe
        16⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622578.exe
        17⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622625.exe
        17⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622765.exe
        18⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622796.exe
        18⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622937.exe
        19⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623000.exe
        19⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623171.exe
        20⤵
        
        PID:496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623234.exe
        20⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623406.exe
        21⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623515.exe
        21⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623671.exe
        22⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623750.exe
        22⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623921.exe
        23⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623984.exe
        23⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624093.exe
        24⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624140.exe
        24⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624265.exe
        25⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624343.exe
        25⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611234.exe
        13⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611375.exe
        14⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611453.exe
        14⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621921.exe
        15⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623093.exe
        17⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623156.exe
        17⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623531.exe
        18⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623609.exe
        18⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624015.exe
        19⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624187.exe
        19⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624406.exe
        20⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624453.exe
        20⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624640.exe
        21⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624703.exe
        21⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624828.exe
        22⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624906.exe
        22⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625062.exe
        23⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625078.exe
        23⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625187.exe
        24⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625265.exe
        24⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625406.exe
        25⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625484.exe
        25⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625640.exe
        26⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625796.exe
        26⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626000.exe
        27⤵
        
        PID:492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626187.exe
        28⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626281.exe
        28⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625890.exe
        27⤵
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621953.exe
        15⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622281.exe
        16⤵
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622390.exe
        16⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622593.exe
        17⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622640.exe
        17⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622781.exe
        18⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622843.exe
        18⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623078.exe
        19⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4940
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624515.exe
        21⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4528
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625609.exe
        23⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1848
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659718.exe
        25⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4240
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672468.exe
        27⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:496
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686468.exe
        29⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2216
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700484.exe
        31⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700625.exe
        31⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709828.exe
        32⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709890.exe
        32⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714031.exe
        33⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714093.exe
        33⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714640.exe
        34⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718031.exe
        34⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718453.exe
        35⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718609.exe
        35⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724921.exe
        36⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726328.exe
        36⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726984.exe
        37⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686671.exe
        29⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687187.exe
        30⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687281.exe
        30⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700156.exe
        31⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700234.exe
        31⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700609.exe
        32⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700671.exe
        32⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701109.exe
        33⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704781.exe
        33⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705265.exe
        34⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705343.exe
        34⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709812.exe
        35⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710031.exe
        35⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240713968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240713968.exe
        36⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714109.exe
        36⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714609.exe
        37⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718046.exe
        37⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718796.exe
        38⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718875.exe
        38⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724890.exe
        39⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726125.exe
        39⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726437.exe
        40⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672593.exe
        27⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673109.exe
        28⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673359.exe
        28⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673640.exe
        29⤵
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685859.exe
        29⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686046.exe
        30⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686312.exe
        30⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686812.exe
        31⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687031.exe
        31⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687453.exe
        32⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699953.exe
        32⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700328.exe
        33⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709671.exe
        35⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718062.exe
        37⤵
        Drops file in System32 directory
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709734.exe
        35⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710187.exe
        36⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240713828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240713828.exe
        36⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714218.exe
        37⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714484.exe
        37⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718312.exe
        38⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718421.exe
        38⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724906.exe
        39⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726406.exe
        39⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240727000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240727000.exe
        40⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700375.exe
        33⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700734.exe
        34⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700828.exe
        34⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704843.exe
        35⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705000.exe
        35⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705281.exe
        36⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705359.exe
        36⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659875.exe
        25⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666453.exe
        26⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666640.exe
        26⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667062.exe
        27⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667093.exe
        27⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672390.exe
        28⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672703.exe
        28⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673156.exe
        29⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673343.exe
        29⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673609.exe
        30⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685781.exe
        30⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686062.exe
        31⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686375.exe
        31⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686796.exe
        32⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686921.exe
        32⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687359.exe
        33⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699937.exe
        33⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700312.exe
        34⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700390.exe
        34⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700640.exe
        35⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700750.exe
        35⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700968.exe
        36⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240701046.exe
        36⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704812.exe
        37⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240704921.exe
        37⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705125.exe
        38⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705187.exe
        38⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705406.exe
        39⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709484.exe
        39⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625703.exe
        23⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626015.exe
        24⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626109.exe
        24⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626421.exe
        25⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626531.exe
        25⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659656.exe
        26⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659687.exe
        26⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659984.exe
        27⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666218.exe
        27⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666546.exe
        28⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666703.exe
        28⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667000.exe
        29⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667078.exe
        29⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672375.exe
        30⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672406.exe
        30⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673015.exe
        31⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673062.exe
        31⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673515.exe
        32⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685765.exe
        32⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685875.exe
        33⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685984.exe
        33⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686265.exe
        34⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686328.exe
        34⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686765.exe
        35⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686906.exe
        35⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687171.exe
        36⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687312.exe
        36⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624546.exe
        21⤵
        
        PID:3024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624781.exe
        22⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624875.exe
        22⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625125.exe
        23⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625218.exe
        23⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625375.exe
        24⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625437.exe
        24⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625625.exe
        25⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625765.exe
        25⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626093.exe
        26⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626125.exe
        26⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626468.exe
        27⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626515.exe
        27⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626609.exe
        28⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655453.exe
        28⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659453.exe
        29⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659593.exe
        29⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659765.exe
        30⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659921.exe
        30⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666203.exe
        31⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666250.exe
        31⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666406.exe
        32⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666562.exe
        32⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666781.exe
        33⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666906.exe
        33⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623125.exe
        19⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623328.exe
        20⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623578.exe
        20⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623781.exe
        21⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623968.exe
        21⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624046.exe
        22⤵
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624125.exe
        22⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610265.exe
        11⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610359.exe
        12⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610406.exe
        12⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610531.exe
        13⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610625.exe
        13⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610734.exe
        14⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610843.exe
        14⤵
        
        PID:1388
    - - C:\Users\Admin\AppData\Local\Temp\tmp240608750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608750.exe
        5⤵
        
        PID:1236
      - C:\Users\Admin\AppData\Local\Temp\tmp240608921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608921.exe
        6⤵
        
        PID:460
      - C:\Users\Admin\AppData\Local\Temp\tmp240608953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608953.exe
        6⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609109.exe
        7⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609140.exe
        7⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609265.exe
        8⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609328.exe
        8⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609484.exe
        9⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609515.exe
        9⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609718.exe
        10⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609828.exe
        11⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609906.exe
        11⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609671.exe
        10⤵
        Executes dropped EXE
        
        PID:4380
- - C:\Users\Admin\AppData\Local\Temp\tmp240602281.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240602281.exe
    3⤵
    PID:4956

C:\Users\Admin\AppData\Local\Temp\tmp240601484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240601484.exe
1⤵
PID:2508
- C:\Users\Admin\AppData\Local\Temp\tmp240601593.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240601593.exe
  2⤵
  PID:2548
- C:\Users\Admin\AppData\Local\Temp\tmp240601687.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240601687.exe
  2⤵
  PID:4188
- - C:\Users\Admin\AppData\Local\Temp\tmp240601796.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240601796.exe
    3⤵
    PID:3204
- - C:\Users\Admin\AppData\Local\Temp\tmp240601875.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240601875.exe
    3⤵
    PID:3976
  - - C:\Users\Admin\AppData\Local\Temp\tmp240602015.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240602015.exe
      4⤵
      PID:1404
    - - C:\Users\Admin\AppData\Local\Temp\tmp240602093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602093.exe
        5⤵
        Executes dropped EXE
        
        PID:2128
    - - C:\Users\Admin\AppData\Local\Temp\tmp240602156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602156.exe
        5⤵
        Executes dropped EXE
        
        PID:2712

C:\Users\Admin\AppData\Local\Temp\tmp240601953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240601953.exe
1⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\tmp240602390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240602390.exe
1⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\tmp240602437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240602437.exe
1⤵
PID:224
- C:\Users\Admin\AppData\Local\Temp\tmp240602562.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240602562.exe
  2⤵
  PID:3676
- - C:\Users\Admin\AppData\Local\Temp\tmp240602640.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240602640.exe
    3⤵
    PID:3740
- - C:\Users\Admin\AppData\Local\Temp\tmp240602703.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240602703.exe
    3⤵
    PID:3228
  - - C:\Users\Admin\AppData\Local\Temp\tmp240608375.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240608375.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:320
  - - C:\Users\Admin\AppData\Local\Temp\tmp240608781.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240608781.exe
      4⤵
      PID:3124
    - - C:\Users\Admin\AppData\Local\Temp\tmp240608984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608984.exe
        5⤵
        
        PID:4744
    - - C:\Users\Admin\AppData\Local\Temp\tmp240609062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609062.exe
        5⤵
        
        PID:1000
- C:\Users\Admin\AppData\Local\Temp\tmp240602531.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240602531.exe
  2⤵
  PID:4992

C:\Users\Admin\AppData\Local\Temp\tmp240599671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599671.exe
1⤵
PID:2568

C:\Users\Admin\AppData\Local\Temp\tmp240599593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599593.exe
1⤵
PID:2716

C:\Users\Admin\AppData\Local\Temp\tmp240599562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599562.exe
1⤵
PID:2164

C:\Users\Admin\AppData\Local\Temp\tmp240599515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599515.exe
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:1440

C:\Users\Admin\AppData\Local\Temp\tmp240599421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599421.exe
1⤵
PID:4220

C:\Users\Admin\AppData\Local\Temp\tmp240599171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599171.exe
1⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\tmp240599140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599140.exe
1⤵
PID:3516

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4536

C:\Users\Admin\AppData\Local\Temp\tmp240610953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610953.exe
1⤵
PID:4916

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240579421.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240579421.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240579500.exe

Filesize
136KB

MD5
9aeb06a81883647698958706907b1c8b

SHA1
1ed819748dd1683826910789ce3c0e331ab636b9

SHA256
2739d7b4fc7ec6f5ccbed17d4c9f57c8905147bdc926a1995e1f9c4f258d55cc

SHA512
d388602a1e322789dda56df6776d570972acce420e45044699f7178115f8c20f32f9723a63657c58771df3ef54afa3193e817679b91cc24fe80d94c78ad09bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240579500.exe

Filesize
136KB

MD5
9aeb06a81883647698958706907b1c8b

SHA1
1ed819748dd1683826910789ce3c0e331ab636b9

SHA256
2739d7b4fc7ec6f5ccbed17d4c9f57c8905147bdc926a1995e1f9c4f258d55cc

SHA512
d388602a1e322789dda56df6776d570972acce420e45044699f7178115f8c20f32f9723a63657c58771df3ef54afa3193e817679b91cc24fe80d94c78ad09bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240582000.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240582000.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240582109.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240582765.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240582765.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240583140.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240583734.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240583734.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240583890.exe

Filesize
3.2MB

MD5
8a7ab8f769817c25c1b7da6c08eb1c61

SHA1
5516cdcd79fe84fc0de31617cbfd0804906fed70

SHA256
891047d8ca2a1c056936d58bcb843055e1905216f98183d210bb3590161e543c

SHA512
4da94c4972948a02acc752c81e9a6c8ee789d6e98b39138703ec97067b83be6ea3fe94bd05d53fcad63dc32f3a48a9aa7542aa296e907806c0bfd9745b4cd7ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240583890.exe

Filesize
3.2MB

MD5
8a7ab8f769817c25c1b7da6c08eb1c61

SHA1
5516cdcd79fe84fc0de31617cbfd0804906fed70

SHA256
891047d8ca2a1c056936d58bcb843055e1905216f98183d210bb3590161e543c

SHA512
4da94c4972948a02acc752c81e9a6c8ee789d6e98b39138703ec97067b83be6ea3fe94bd05d53fcad63dc32f3a48a9aa7542aa296e907806c0bfd9745b4cd7ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240584031.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240584031.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240584265.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240584296.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240584296.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240584406.exe

Filesize
3.2MB

MD5
8a7ab8f769817c25c1b7da6c08eb1c61

SHA1
5516cdcd79fe84fc0de31617cbfd0804906fed70

SHA256
891047d8ca2a1c056936d58bcb843055e1905216f98183d210bb3590161e543c

SHA512
4da94c4972948a02acc752c81e9a6c8ee789d6e98b39138703ec97067b83be6ea3fe94bd05d53fcad63dc32f3a48a9aa7542aa296e907806c0bfd9745b4cd7ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240584406.exe

Filesize
3.2MB

MD5
8a7ab8f769817c25c1b7da6c08eb1c61

SHA1
5516cdcd79fe84fc0de31617cbfd0804906fed70

SHA256
891047d8ca2a1c056936d58bcb843055e1905216f98183d210bb3590161e543c

SHA512
4da94c4972948a02acc752c81e9a6c8ee789d6e98b39138703ec97067b83be6ea3fe94bd05d53fcad63dc32f3a48a9aa7542aa296e907806c0bfd9745b4cd7ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240584875.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240584875.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240587078.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240587078.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588281.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588359.exe

Filesize
3.2MB

MD5
8a7ab8f769817c25c1b7da6c08eb1c61

SHA1
5516cdcd79fe84fc0de31617cbfd0804906fed70

SHA256
891047d8ca2a1c056936d58bcb843055e1905216f98183d210bb3590161e543c

SHA512
4da94c4972948a02acc752c81e9a6c8ee789d6e98b39138703ec97067b83be6ea3fe94bd05d53fcad63dc32f3a48a9aa7542aa296e907806c0bfd9745b4cd7ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588359.exe

Filesize
3.2MB

MD5
8a7ab8f769817c25c1b7da6c08eb1c61

SHA1
5516cdcd79fe84fc0de31617cbfd0804906fed70

SHA256
891047d8ca2a1c056936d58bcb843055e1905216f98183d210bb3590161e543c

SHA512
4da94c4972948a02acc752c81e9a6c8ee789d6e98b39138703ec97067b83be6ea3fe94bd05d53fcad63dc32f3a48a9aa7542aa296e907806c0bfd9745b4cd7ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588703.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588703.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589000.exe

Filesize
3.2MB

MD5
8a7ab8f769817c25c1b7da6c08eb1c61

SHA1
5516cdcd79fe84fc0de31617cbfd0804906fed70

SHA256
891047d8ca2a1c056936d58bcb843055e1905216f98183d210bb3590161e543c

SHA512
4da94c4972948a02acc752c81e9a6c8ee789d6e98b39138703ec97067b83be6ea3fe94bd05d53fcad63dc32f3a48a9aa7542aa296e907806c0bfd9745b4cd7ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589000.exe

Filesize
3.2MB

MD5
8a7ab8f769817c25c1b7da6c08eb1c61

SHA1
5516cdcd79fe84fc0de31617cbfd0804906fed70

SHA256
891047d8ca2a1c056936d58bcb843055e1905216f98183d210bb3590161e543c

SHA512
4da94c4972948a02acc752c81e9a6c8ee789d6e98b39138703ec97067b83be6ea3fe94bd05d53fcad63dc32f3a48a9aa7542aa296e907806c0bfd9745b4cd7ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589062.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589062.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589234.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589234.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589578.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589812.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240590093.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240590093.exe

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240590250.exe

Filesize
3.2MB

MD5
8a7ab8f769817c25c1b7da6c08eb1c61

SHA1
5516cdcd79fe84fc0de31617cbfd0804906fed70

SHA256
891047d8ca2a1c056936d58bcb843055e1905216f98183d210bb3590161e543c

SHA512
4da94c4972948a02acc752c81e9a6c8ee789d6e98b39138703ec97067b83be6ea3fe94bd05d53fcad63dc32f3a48a9aa7542aa296e907806c0bfd9745b4cd7ac

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.0MB

MD5
740593e73b952d0c0be78bcb68a3f734

SHA1
93ac000e46d180a284f16f6c2c43056c1b7a787f

SHA256
21f7a6df33a2c1d0018dc67de081dd129ff0b98ad54d26c70a36583e4dd12b30

SHA512
587851d03f2819561fb1cbc0e9792cfd7fffebe99b8c56f533ab62fd5e3d86c11a39a50bc9df87dfd1e03d90db99a91c4b3dc2a4825f9559c0c8b9a1caeaff70

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
8a7ab8f769817c25c1b7da6c08eb1c61

SHA1
5516cdcd79fe84fc0de31617cbfd0804906fed70

SHA256
891047d8ca2a1c056936d58bcb843055e1905216f98183d210bb3590161e543c

SHA512
4da94c4972948a02acc752c81e9a6c8ee789d6e98b39138703ec97067b83be6ea3fe94bd05d53fcad63dc32f3a48a9aa7542aa296e907806c0bfd9745b4cd7ac

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
8a7ab8f769817c25c1b7da6c08eb1c61

SHA1
5516cdcd79fe84fc0de31617cbfd0804906fed70

SHA256
891047d8ca2a1c056936d58bcb843055e1905216f98183d210bb3590161e543c

SHA512
4da94c4972948a02acc752c81e9a6c8ee789d6e98b39138703ec97067b83be6ea3fe94bd05d53fcad63dc32f3a48a9aa7542aa296e907806c0bfd9745b4cd7ac

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
8a7ab8f769817c25c1b7da6c08eb1c61

SHA1
5516cdcd79fe84fc0de31617cbfd0804906fed70

SHA256
891047d8ca2a1c056936d58bcb843055e1905216f98183d210bb3590161e543c

SHA512
4da94c4972948a02acc752c81e9a6c8ee789d6e98b39138703ec97067b83be6ea3fe94bd05d53fcad63dc32f3a48a9aa7542aa296e907806c0bfd9745b4cd7ac

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
6.2MB

MD5
24940e03f576f014b72b8c2b2242c40f

SHA1
bab1d5254f143525af0bafbd93404579aae2844a

SHA256
7174da83183966b3f0d71b3d038f6410da9083d03f98be6719669e3f45c908ac

SHA512
c75d350e8e4badbaf2f8a50421905302256b8fe7acbd1bb737d2e7f80826c55884dbbf212622070d5f26621e4019fe94fa15a7ad0171035d55af498b06ec90ec

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
6.2MB

MD5
24940e03f576f014b72b8c2b2242c40f

SHA1
bab1d5254f143525af0bafbd93404579aae2844a

SHA256
7174da83183966b3f0d71b3d038f6410da9083d03f98be6719669e3f45c908ac

SHA512
c75d350e8e4badbaf2f8a50421905302256b8fe7acbd1bb737d2e7f80826c55884dbbf212622070d5f26621e4019fe94fa15a7ad0171035d55af498b06ec90ec

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
6.2MB

MD5
24940e03f576f014b72b8c2b2242c40f

SHA1
bab1d5254f143525af0bafbd93404579aae2844a

SHA256
7174da83183966b3f0d71b3d038f6410da9083d03f98be6719669e3f45c908ac

SHA512
c75d350e8e4badbaf2f8a50421905302256b8fe7acbd1bb737d2e7f80826c55884dbbf212622070d5f26621e4019fe94fa15a7ad0171035d55af498b06ec90ec

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
6.2MB

MD5
24940e03f576f014b72b8c2b2242c40f

SHA1
bab1d5254f143525af0bafbd93404579aae2844a

SHA256
7174da83183966b3f0d71b3d038f6410da9083d03f98be6719669e3f45c908ac

SHA512
c75d350e8e4badbaf2f8a50421905302256b8fe7acbd1bb737d2e7f80826c55884dbbf212622070d5f26621e4019fe94fa15a7ad0171035d55af498b06ec90ec

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
6.2MB

MD5
24940e03f576f014b72b8c2b2242c40f

SHA1
bab1d5254f143525af0bafbd93404579aae2844a

SHA256
7174da83183966b3f0d71b3d038f6410da9083d03f98be6719669e3f45c908ac

SHA512
c75d350e8e4badbaf2f8a50421905302256b8fe7acbd1bb737d2e7f80826c55884dbbf212622070d5f26621e4019fe94fa15a7ad0171035d55af498b06ec90ec

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
6.2MB

MD5
24940e03f576f014b72b8c2b2242c40f

SHA1
bab1d5254f143525af0bafbd93404579aae2844a

SHA256
7174da83183966b3f0d71b3d038f6410da9083d03f98be6719669e3f45c908ac

SHA512
c75d350e8e4badbaf2f8a50421905302256b8fe7acbd1bb737d2e7f80826c55884dbbf212622070d5f26621e4019fe94fa15a7ad0171035d55af498b06ec90ec

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
memory/320-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/768-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/920-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/920-256-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1232-246-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1232-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1232-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1236-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1372-271-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1372-269-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1408-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1592-138-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2100-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2128-288-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2128-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2164-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2436-139-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/2640-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2744-215-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2744-196-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2768-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2768-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3016-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3064-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3160-175-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3160-184-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3800-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3800-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3844-143-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3844-151-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3856-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3980-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3984-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4076-254-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4076-260-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4080-303-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4164-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4164-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4208-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4216-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4216-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4220-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4296-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4320-207-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4320-193-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4368-253-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4532-249-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4536-192-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4608-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4612-270-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4612-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4688-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4688-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4716-226-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4716-231-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4776-154-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4776-162-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4820-222-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4860-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4892-282-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4984-174-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5016-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5084-224-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5084-236-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download