b0336076c54f1050148f7cdf3a1e3fe92ba4ee445c30272eac0540486a4d25ce

Analysis

max time kernel
217s
max time network
228s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0336076c54f1050148f7cdf3a1e3fe92ba4ee445c30272eac0540486a4d25ce.exe
Size

9.2MB
MD5

797dd4c605af40a0fb1353f4b3c22d67
SHA1

256f9136ef8ad4fe4b09ad84e3e42ff580d0b7d3
SHA256

b0336076c54f1050148f7cdf3a1e3fe92ba4ee445c30272eac0540486a4d25ce
SHA512

cea6fcd301d8cbc13d3483068c57423f5c15babd5ddc8b12667b8c4e5f634d4b9bc6b18b250ed6d7850d9e103b643addd22a5638ccfe4792c830c9cf2814f080
SSDEEP

24576:wDyTFtjTDyTFtjtDyTFtjSDyTFtjwDyTFtjTDyTFtjtDyTFtjSDyTFtjKDyTFtj7:JtotGtztFtotGtztztotGtzt

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1432	tmp240619421.exe
4248	tmp240619718.exe
1928	tmp240619937.exe
3836	tmp240620156.exe
5016	tmp240620453.exe
4824	tmp240620843.exe
1936	notpad.exe
1100	tmp240654968.exe
2256	tmp240656046.exe
224	notpad.exe
1980	tmp240658312.exe
3772	tmp240658796.exe
3452	notpad.exe
3436	tmp240659015.exe
3440	tmp240659062.exe
4356	tmp240659406.exe
1528	notpad.exe
1012	tmp240659453.exe
3356	tmp240660578.exe
5076	tmp240660625.exe
3044	tmp240661156.exe
676	tmp240661109.exe
724	notpad.exe
396	tmp240661328.exe
1904	tmp240661734.exe
3220	tmp240661453.exe
2548	tmp240661937.exe
5064	notpad.exe
3740	tmp240662328.exe
3188	tmp240662468.exe
3816	tmp240662421.exe
972	tmp240662671.exe
5084	notpad.exe
1244	tmp240663265.exe
4200	notpad.exe
4024	tmp240664734.exe
2940	tmp240714984.exe
3152	tmp240715296.exe
1440	tmp240715750.exe
1764	tmp240716031.exe
1372	notpad.exe
3432	tmp240716062.exe
2916	tmp240716218.exe
4940	tmp240716265.exe
4580	tmp240716281.exe
860	tmp240722484.exe
2924	notpad.exe
692	tmp240716437.exe
3312	tmp240716562.exe
3992	tmp240716703.exe
392	tmp240716781.exe
548	notpad.exe
4876	tmp240716906.exe
4796	tmp240716937.exe
5016	tmp240717093.exe
4760	tmp240717000.exe
4644	notpad.exe
4956	tmp240717203.exe
3268	tmp240717359.exe
4736	tmp240717328.exe
5048	tmp240717468.exe
2744	tmp240717484.exe
3100	notpad.exe
2256	tmp240717656.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4128-132-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4128-139-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e37-138.dat	upx
behavioral2/files/0x0006000000022e37-137.dat	upx
behavioral2/files/0x0006000000022e3a-146.dat	upx
behavioral2/memory/4248-145-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3836-147-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e3a-144.dat	upx
behavioral2/memory/3836-154-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000a000000022e2c-158.dat	upx
behavioral2/files/0x000a000000022e2c-159.dat	upx
behavioral2/memory/1936-160-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e3b-164.dat	upx
behavioral2/memory/1936-168-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000b000000022e2c-170.dat	upx
behavioral2/memory/224-171-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000b000000022e2c-172.dat	upx
behavioral2/files/0x0006000000022e3b-176.dat	upx
behavioral2/files/0x0007000000022e48-179.dat	upx
behavioral2/files/0x0007000000022e48-180.dat	upx
behavioral2/memory/224-181-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000b000000022e2c-183.dat	upx
behavioral2/memory/3772-185-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3452-184-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e3b-190.dat	upx
behavioral2/memory/3772-196-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000b000000022e2c-198.dat	upx
behavioral2/memory/3452-202-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0008000000022e52-201.dat	upx
behavioral2/files/0x0008000000022e52-200.dat	upx
behavioral2/memory/1012-213-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0008000000022e56-216.dat	upx
behavioral2/memory/1528-218-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000b000000022e2c-220.dat	upx
behavioral2/files/0x0008000000022e56-217.dat	upx
behavioral2/memory/1528-215-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e3b-224.dat	upx
behavioral2/memory/676-229-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000b000000022e2c-238.dat	upx
behavioral2/files/0x0006000000022e3b-243.dat	upx
behavioral2/memory/2548-246-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5064-250-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/724-237-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2548-236-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e5f-234.dat	upx
behavioral2/files/0x0006000000022e5f-233.dat	upx
behavioral2/files/0x0006000000022e3b-207.dat	upx
behavioral2/memory/972-252-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5084-253-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4200-256-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5084-262-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/972-260-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4200-266-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1440-271-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1764-272-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2924-274-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1372-275-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1372-277-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2924-281-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/692-284-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/392-287-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/548-291-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4644-297-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4956-295-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 28 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240660578.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240716562.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240716937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240717359.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240619421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240661328.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240720703.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240664734.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240716062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240718890.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240719250.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240761593.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240717656.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240718562.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240659015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240719828.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240721484.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240762000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240658312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240662328.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240719312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240721015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240722093.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240654968.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240663265.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240721750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240722375.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240722828.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240660578.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240716062.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240716062.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240720703.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240721484.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240722375.exe
File created	C:\Windows\SysWOW64\fsb.tmp	tmp240619421.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240619421.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240718562.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240719250.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240720703.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240662328.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240717656.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240717359.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240718890.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240762000.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240663265.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240664734.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240663265.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240719828.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240762000.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240658312.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240658312.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240659015.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240721484.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240720703.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240761593.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240716937.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240718890.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240664734.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240716562.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240721750.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240719312.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240721484.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240718562.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240719312.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240722093.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240722375.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240619421.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240717359.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240721015.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240721750.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240722375.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240619421.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240662328.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240659015.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240662328.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240716062.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240716562.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240718562.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240719828.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240654968.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240659015.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240722093.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240761593.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240717656.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240718890.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240716937.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240721015.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240722093.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240654968.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240661328.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240716937.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240721015.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1472	4824	WerFault.exe	86
1468	4824	WerFault.exe	86

Modifies registry class 28 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240761593.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240654968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240663265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240719312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240721484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240659015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240662328.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240718562.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240719828.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240619421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240716062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240716937.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240762000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240718890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240719250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240721015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240721750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240661328.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240664734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240716562.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240717656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240722375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240722093.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240722828.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240720703.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240658312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240660578.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240717359.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4128 wrote to memory of 1432	4128	b0336076c54f1050148f7cdf3a1e3fe92ba4ee445c30272eac0540486a4d25ce.exe	79
PID 4128 wrote to memory of 1432	4128	b0336076c54f1050148f7cdf3a1e3fe92ba4ee445c30272eac0540486a4d25ce.exe	79
PID 4128 wrote to memory of 1432	4128	b0336076c54f1050148f7cdf3a1e3fe92ba4ee445c30272eac0540486a4d25ce.exe	79
PID 4128 wrote to memory of 4248	4128	b0336076c54f1050148f7cdf3a1e3fe92ba4ee445c30272eac0540486a4d25ce.exe	80
PID 4128 wrote to memory of 4248	4128	b0336076c54f1050148f7cdf3a1e3fe92ba4ee445c30272eac0540486a4d25ce.exe	80
PID 4128 wrote to memory of 4248	4128	b0336076c54f1050148f7cdf3a1e3fe92ba4ee445c30272eac0540486a4d25ce.exe	80
PID 4248 wrote to memory of 1928	4248	tmp240619718.exe	81
PID 4248 wrote to memory of 1928	4248	tmp240619718.exe	81
PID 4248 wrote to memory of 1928	4248	tmp240619718.exe	81
PID 4248 wrote to memory of 3836	4248	tmp240619718.exe	82
PID 4248 wrote to memory of 3836	4248	tmp240619718.exe	82
PID 4248 wrote to memory of 3836	4248	tmp240619718.exe	82
PID 3836 wrote to memory of 5016	3836	tmp240620156.exe	83
PID 3836 wrote to memory of 5016	3836	tmp240620156.exe	83
PID 3836 wrote to memory of 5016	3836	tmp240620156.exe	83
PID 3836 wrote to memory of 4824	3836	tmp240620156.exe	86
PID 3836 wrote to memory of 4824	3836	tmp240620156.exe	86
PID 3836 wrote to memory of 4824	3836	tmp240620156.exe	86
PID 4824 wrote to memory of 1472	4824	tmp240620843.exe	87
PID 4824 wrote to memory of 1472	4824	tmp240620843.exe	87
PID 4824 wrote to memory of 1472	4824	tmp240620843.exe	87
PID 1432 wrote to memory of 1936	1432	tmp240619421.exe	89
PID 1432 wrote to memory of 1936	1432	tmp240619421.exe	89
PID 1432 wrote to memory of 1936	1432	tmp240619421.exe	89
PID 1936 wrote to memory of 1100	1936	notpad.exe	90
PID 1936 wrote to memory of 1100	1936	notpad.exe	90
PID 1936 wrote to memory of 1100	1936	notpad.exe	90
PID 1936 wrote to memory of 2256	1936	notpad.exe	91
PID 1936 wrote to memory of 2256	1936	notpad.exe	91
PID 1936 wrote to memory of 2256	1936	notpad.exe	91
PID 1100 wrote to memory of 224	1100	tmp240654968.exe	92
PID 1100 wrote to memory of 224	1100	tmp240654968.exe	92
PID 1100 wrote to memory of 224	1100	tmp240654968.exe	92
PID 224 wrote to memory of 1980	224	notpad.exe	93
PID 224 wrote to memory of 1980	224	notpad.exe	93
PID 224 wrote to memory of 1980	224	notpad.exe	93
PID 224 wrote to memory of 3772	224	notpad.exe	94
PID 224 wrote to memory of 3772	224	notpad.exe	94
PID 224 wrote to memory of 3772	224	notpad.exe	94
PID 1980 wrote to memory of 3452	1980	tmp240658312.exe	95
PID 1980 wrote to memory of 3452	1980	tmp240658312.exe	95
PID 1980 wrote to memory of 3452	1980	tmp240658312.exe	95
PID 3772 wrote to memory of 3436	3772	tmp240658796.exe	96
PID 3772 wrote to memory of 3436	3772	tmp240658796.exe	96
PID 3772 wrote to memory of 3436	3772	tmp240658796.exe	96
PID 3452 wrote to memory of 3440	3452	notpad.exe	97
PID 3452 wrote to memory of 3440	3452	notpad.exe	97
PID 3452 wrote to memory of 3440	3452	notpad.exe	97
PID 3772 wrote to memory of 4356	3772	tmp240658796.exe	98
PID 3772 wrote to memory of 4356	3772	tmp240658796.exe	98
PID 3772 wrote to memory of 4356	3772	tmp240658796.exe	98
PID 3436 wrote to memory of 1528	3436	tmp240659015.exe	100
PID 3436 wrote to memory of 1528	3436	tmp240659015.exe	100
PID 3436 wrote to memory of 1528	3436	tmp240659015.exe	100
PID 3452 wrote to memory of 1012	3452	notpad.exe	99
PID 3452 wrote to memory of 1012	3452	notpad.exe	99
PID 3452 wrote to memory of 1012	3452	notpad.exe	99
PID 1528 wrote to memory of 3356	1528	notpad.exe	101
PID 1528 wrote to memory of 3356	1528	notpad.exe	101
PID 1528 wrote to memory of 3356	1528	notpad.exe	101
PID 1012 wrote to memory of 5076	1012	tmp240659453.exe	115
PID 1012 wrote to memory of 5076	1012	tmp240659453.exe	115
PID 1012 wrote to memory of 5076	1012	tmp240659453.exe	115
PID 1012 wrote to memory of 3044	1012	tmp240659453.exe	102

C:\Users\Admin\AppData\Local\Temp\b0336076c54f1050148f7cdf3a1e3fe92ba4ee445c30272eac0540486a4d25ce.exe
"C:\Users\Admin\AppData\Local\Temp\b0336076c54f1050148f7cdf3a1e3fe92ba4ee445c30272eac0540486a4d25ce.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4128
- C:\Users\Admin\AppData\Local\Temp\tmp240619421.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240619421.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Users\Admin\AppData\Local\Temp\tmp240654968.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240654968.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1100
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:224
      - C:\Users\Admin\AppData\Local\Temp\tmp240658312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658312.exe
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659062.exe
        8⤵
        Executes dropped EXE
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659453.exe
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661156.exe
        9⤵
        Executes dropped EXE
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660625.exe
        9⤵
        Executes dropped EXE
        
        PID:5076
      - C:\Users\Admin\AppData\Local\Temp\tmp240658796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658796.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659015.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3436
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660578.exe
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        Executes dropped EXE
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661453.exe
        11⤵
        Executes dropped EXE
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661937.exe
        11⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662468.exe
        12⤵
        Executes dropped EXE
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662328.exe
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661109.exe
        9⤵
        Executes dropped EXE
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661328.exe
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:396
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        Executes dropped EXE
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661734.exe
        10⤵
        Executes dropped EXE
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659406.exe
        7⤵
        Executes dropped EXE
        
        PID:4356
  - - C:\Users\Admin\AppData\Local\Temp\tmp240656046.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240656046.exe
      4⤵
      Executes dropped EXE
      PID:2256
- C:\Users\Admin\AppData\Local\Temp\tmp240619718.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240619718.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4248
- - C:\Users\Admin\AppData\Local\Temp\tmp240619937.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240619937.exe
    3⤵
    - Executes dropped EXE
    PID:1928
- - C:\Users\Admin\AppData\Local\Temp\tmp240620156.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240620156.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3836
  - - C:\Users\Admin\AppData\Local\Temp\tmp240620453.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240620453.exe
      4⤵
      Executes dropped EXE
      PID:5016
  - - C:\Users\Admin\AppData\Local\Temp\tmp240620843.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240620843.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4824
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 224
        5⤵
        Program crash
        
        PID:1472
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4824 -s 224
        5⤵
        Program crash
        
        PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 4824 -ip 4824
1⤵
PID:3268

C:\Users\Admin\AppData\Local\Temp\tmp240662421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240662421.exe
1⤵
- Executes dropped EXE
PID:3816

C:\Users\Admin\AppData\Local\Temp\tmp240662671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240662671.exe
1⤵
- Executes dropped EXE
PID:972
- C:\Users\Admin\AppData\Local\Temp\tmp240663265.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240663265.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  PID:1244
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    PID:4200
  - - C:\Users\Admin\AppData\Local\Temp\tmp240715296.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240715296.exe
      4⤵
      Executes dropped EXE
      PID:3152
  - - C:\Users\Admin\AppData\Local\Temp\tmp240716031.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240716031.exe
      4⤵
      Executes dropped EXE
      PID:1764
    - - C:\Users\Admin\AppData\Local\Temp\tmp240716218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716218.exe
        5⤵
        Executes dropped EXE
        
        PID:2916
    - - C:\Users\Admin\AppData\Local\Temp\tmp240716359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716359.exe
        5⤵
        
        PID:860
- C:\Users\Admin\AppData\Local\Temp\tmp240714984.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240714984.exe
  2⤵
  - Executes dropped EXE
  PID:2940

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:5084
- C:\Users\Admin\AppData\Local\Temp\tmp240664734.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240664734.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  PID:4024
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    PID:1372
  - - C:\Users\Admin\AppData\Local\Temp\tmp240716265.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240716265.exe
      4⤵
      Executes dropped EXE
      PID:4940
  - - C:\Users\Admin\AppData\Local\Temp\tmp240716437.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240716437.exe
      4⤵
      Executes dropped EXE
      PID:692
    - - C:\Users\Admin\AppData\Local\Temp\tmp240716703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716703.exe
        5⤵
        Executes dropped EXE
        
        PID:3992
    - - C:\Users\Admin\AppData\Local\Temp\tmp240716906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716906.exe
        5⤵
        Executes dropped EXE
        
        PID:4876
- C:\Users\Admin\AppData\Local\Temp\tmp240715750.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240715750.exe
  2⤵
  - Executes dropped EXE
  PID:1440
- - C:\Users\Admin\AppData\Local\Temp\tmp240716062.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240716062.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies registry class
    PID:3432
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      PID:2924
    - - C:\Users\Admin\AppData\Local\Temp\tmp240716562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716562.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3312
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717000.exe
        7⤵
        Executes dropped EXE
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717203.exe
        7⤵
        Executes dropped EXE
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717359.exe
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3268
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717656.exe
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2256
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718562.exe
        12⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1468
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719203.exe
        14⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719312.exe
        15⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719843.exe
        17⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719875.exe
        18⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240720656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240720656.exe
        18⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719828.exe
        17⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1500
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240720703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240720703.exe
        19⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721015.exe
        21⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4920
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721484.exe
        23⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721765.exe
        25⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721843.exe
        25⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721937.exe
        26⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721968.exe
        26⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722031.exe
        27⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722046.exe
        27⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722093.exe
        28⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722390.exe
        30⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722421.exe
        30⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722468.exe
        31⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722500.exe
        31⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722640.exe
        32⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723046.exe
        32⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723109.exe
        33⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240761296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240761296.exe
        33⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722109.exe
        28⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721515.exe
        23⤵
        
        PID:3448
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721546.exe
        24⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721671.exe
        24⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721812.exe
        25⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721750.exe
        25⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722140.exe
        27⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722203.exe
        27⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722281.exe
        28⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722296.exe
        28⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722375.exe
        29⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3556
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722828.exe
        31⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4088
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240761593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240761593.exe
        33⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3588
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        
        PID:204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240762000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240762000.exe
        35⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1472
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240762062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240762062.exe
        35⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240762203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240762203.exe
        36⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240762390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240762390.exe
        36⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240761687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240761687.exe
        33⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240761843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240761843.exe
        34⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240761968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240761968.exe
        34⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\tmp240762109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240762109.exe
        35⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240762187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240762187.exe
        35⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240762312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240762312.exe
        36⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240762421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240762421.exe
        36⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240762453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240762453.exe
        37⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240762468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240762468.exe
        37⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723062.exe
        31⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723171.exe
        32⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240761312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240761312.exe
        32⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240761484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240761484.exe
        33⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240761562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240761562.exe
        33⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240761703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240761703.exe
        34⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240761812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240761812.exe
        34⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722437.exe
        29⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722484.exe
        30⤵
        Executes dropped EXE
        
        PID:860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722562.exe
        30⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721062.exe
        21⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721296.exe
        22⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721375.exe
        23⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721437.exe
        23⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721250.exe
        22⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240720812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240720812.exe
        19⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721046.exe
        20⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721218.exe
        20⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719500.exe
        15⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719015.exe
        14⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718812.exe
        12⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718890.exe
        13⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4124
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719046.exe
        13⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718359.exe
        10⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718828.exe
        11⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718609.exe
        11⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717468.exe
        8⤵
        Executes dropped EXE
        
        PID:5048
    - - C:\Users\Admin\AppData\Local\Temp\tmp240716781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716781.exe
        5⤵
        Executes dropped EXE
        
        PID:392
      - C:\Users\Admin\AppData\Local\Temp\tmp240717093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717093.exe
        6⤵
        Executes dropped EXE
        
        PID:5016
      - C:\Users\Admin\AppData\Local\Temp\tmp240716937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716937.exe
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Executes dropped EXE
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717328.exe
        8⤵
        Executes dropped EXE
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717484.exe
        8⤵
        Executes dropped EXE
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717609.exe
        9⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718390.exe
        9⤵
        
        PID:2728
- - C:\Users\Admin\AppData\Local\Temp\tmp240716281.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240716281.exe
    3⤵
    - Executes dropped EXE
    PID:4580

C:\Users\Admin\AppData\Local\Temp\tmp240719281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240719281.exe
1⤵
PID:2804
- C:\Users\Admin\AppData\Local\Temp\tmp240719562.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240719562.exe
  2⤵
  PID:2044
- C:\Users\Admin\AppData\Local\Temp\tmp240719406.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240719406.exe
  2⤵
  PID:2040

C:\Users\Admin\AppData\Local\Temp\tmp240719250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240719250.exe
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4356
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:3452
- - C:\Users\Admin\AppData\Local\Temp\tmp240719468.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240719468.exe
    3⤵
    PID:5108
- - C:\Users\Admin\AppData\Local\Temp\tmp240719671.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240719671.exe
    3⤵
    PID:1000
  - - C:\Users\Admin\AppData\Local\Temp\tmp240719796.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240719796.exe
      4⤵
      PID:1656
  - - C:\Users\Admin\AppData\Local\Temp\tmp240719734.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240719734.exe
      4⤵
      PID:1484

C:\Users\Admin\AppData\Local\Temp\tmp240721343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240721343.exe
1⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\tmp240721359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240721359.exe
1⤵
PID:2636

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240619421.exe

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240619421.exe

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240619718.exe

Filesize
6.2MB

MD5
d84faf8eadbcb5917f266b37cbaf6339

SHA1
f38496215d7cefb3083a10402888ab498e4944cb

SHA256
49dc009563e1764895ad25d96afac11a3078e9ddaf8692641da2e365c5aac779

SHA512
cec1df9959aa3ec6dcc352a37c9f6000ac50740045dbf55f9f5a5173fb29710a806a302b42ef7c2ba4c6932eafce3ed9b37cc5ef4a53cb5c5fc50d87f235c50f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240619718.exe

Filesize
6.2MB

MD5
d84faf8eadbcb5917f266b37cbaf6339

SHA1
f38496215d7cefb3083a10402888ab498e4944cb

SHA256
49dc009563e1764895ad25d96afac11a3078e9ddaf8692641da2e365c5aac779

SHA512
cec1df9959aa3ec6dcc352a37c9f6000ac50740045dbf55f9f5a5173fb29710a806a302b42ef7c2ba4c6932eafce3ed9b37cc5ef4a53cb5c5fc50d87f235c50f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240619937.exe

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240619937.exe

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240620156.exe

Filesize
3.2MB

MD5
36638b3fa10c9b78b3b361fb39d470f4

SHA1
8d8d0d37ce3b920671be7a74c787e26d5c12f940

SHA256
23f1efbb2baa676425c715a409f0271ff28a8f520e4195549602aa4db4483c2e

SHA512
0b0c3b0fce6e741d22bba6ee96395d8a349b75a47fd7722cfa8cdcbeece44840829ad5bc8bd67502c616dfa0a5986e48b787c684717a34a7828647087d22a20c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240620156.exe

Filesize
3.2MB

MD5
36638b3fa10c9b78b3b361fb39d470f4

SHA1
8d8d0d37ce3b920671be7a74c787e26d5c12f940

SHA256
23f1efbb2baa676425c715a409f0271ff28a8f520e4195549602aa4db4483c2e

SHA512
0b0c3b0fce6e741d22bba6ee96395d8a349b75a47fd7722cfa8cdcbeece44840829ad5bc8bd67502c616dfa0a5986e48b787c684717a34a7828647087d22a20c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240620453.exe

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240620453.exe

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240620843.exe

Filesize
136KB

MD5
9aeb06a81883647698958706907b1c8b

SHA1
1ed819748dd1683826910789ce3c0e331ab636b9

SHA256
2739d7b4fc7ec6f5ccbed17d4c9f57c8905147bdc926a1995e1f9c4f258d55cc

SHA512
d388602a1e322789dda56df6776d570972acce420e45044699f7178115f8c20f32f9723a63657c58771df3ef54afa3193e817679b91cc24fe80d94c78ad09bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240620843.exe

Filesize
136KB

MD5
9aeb06a81883647698958706907b1c8b

SHA1
1ed819748dd1683826910789ce3c0e331ab636b9

SHA256
2739d7b4fc7ec6f5ccbed17d4c9f57c8905147bdc926a1995e1f9c4f258d55cc

SHA512
d388602a1e322789dda56df6776d570972acce420e45044699f7178115f8c20f32f9723a63657c58771df3ef54afa3193e817679b91cc24fe80d94c78ad09bbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240654968.exe

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240654968.exe

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240656046.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240658312.exe

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240658312.exe

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240658796.exe

Filesize
3.2MB

MD5
b63e6b3ed0035505f24c0a82eace0e46

SHA1
f18761bf46bfb3505904b7a0753f227658e6582b

SHA256
ad0a95f4436ad02de83024f2ddb5fb85c14056655d26a681823aca47f2b22e0d

SHA512
276675b8cad909fb488a9e42f916b481b6c60f3439a2f5b0636e067674064b4d480e3bbfe7165dd3082f59d3bc6a7102c4e23803ecb76f93f5b0b1ec4dd51c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240658796.exe

Filesize
3.2MB

MD5
b63e6b3ed0035505f24c0a82eace0e46

SHA1
f18761bf46bfb3505904b7a0753f227658e6582b

SHA256
ad0a95f4436ad02de83024f2ddb5fb85c14056655d26a681823aca47f2b22e0d

SHA512
276675b8cad909fb488a9e42f916b481b6c60f3439a2f5b0636e067674064b4d480e3bbfe7165dd3082f59d3bc6a7102c4e23803ecb76f93f5b0b1ec4dd51c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240659015.exe

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240659015.exe

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240659062.exe

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240659062.exe

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240659406.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240659453.exe

Filesize
3.2MB

MD5
b63e6b3ed0035505f24c0a82eace0e46

SHA1
f18761bf46bfb3505904b7a0753f227658e6582b

SHA256
ad0a95f4436ad02de83024f2ddb5fb85c14056655d26a681823aca47f2b22e0d

SHA512
276675b8cad909fb488a9e42f916b481b6c60f3439a2f5b0636e067674064b4d480e3bbfe7165dd3082f59d3bc6a7102c4e23803ecb76f93f5b0b1ec4dd51c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240659453.exe

Filesize
3.2MB

MD5
b63e6b3ed0035505f24c0a82eace0e46

SHA1
f18761bf46bfb3505904b7a0753f227658e6582b

SHA256
ad0a95f4436ad02de83024f2ddb5fb85c14056655d26a681823aca47f2b22e0d

SHA512
276675b8cad909fb488a9e42f916b481b6c60f3439a2f5b0636e067674064b4d480e3bbfe7165dd3082f59d3bc6a7102c4e23803ecb76f93f5b0b1ec4dd51c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240660578.exe

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240660578.exe

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240660625.exe

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240660625.exe

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240661109.exe

Filesize
3.2MB

MD5
b63e6b3ed0035505f24c0a82eace0e46

SHA1
f18761bf46bfb3505904b7a0753f227658e6582b

SHA256
ad0a95f4436ad02de83024f2ddb5fb85c14056655d26a681823aca47f2b22e0d

SHA512
276675b8cad909fb488a9e42f916b481b6c60f3439a2f5b0636e067674064b4d480e3bbfe7165dd3082f59d3bc6a7102c4e23803ecb76f93f5b0b1ec4dd51c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240661109.exe

Filesize
3.2MB

MD5
b63e6b3ed0035505f24c0a82eace0e46

SHA1
f18761bf46bfb3505904b7a0753f227658e6582b

SHA256
ad0a95f4436ad02de83024f2ddb5fb85c14056655d26a681823aca47f2b22e0d

SHA512
276675b8cad909fb488a9e42f916b481b6c60f3439a2f5b0636e067674064b4d480e3bbfe7165dd3082f59d3bc6a7102c4e23803ecb76f93f5b0b1ec4dd51c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240661156.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240661328.exe

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240661328.exe

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240661453.exe

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240661453.exe

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240661734.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240661937.exe

Filesize
3.2MB

MD5
b63e6b3ed0035505f24c0a82eace0e46

SHA1
f18761bf46bfb3505904b7a0753f227658e6582b

SHA256
ad0a95f4436ad02de83024f2ddb5fb85c14056655d26a681823aca47f2b22e0d

SHA512
276675b8cad909fb488a9e42f916b481b6c60f3439a2f5b0636e067674064b4d480e3bbfe7165dd3082f59d3bc6a7102c4e23803ecb76f93f5b0b1ec4dd51c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240661937.exe

Filesize
3.2MB

MD5
b63e6b3ed0035505f24c0a82eace0e46

SHA1
f18761bf46bfb3505904b7a0753f227658e6582b

SHA256
ad0a95f4436ad02de83024f2ddb5fb85c14056655d26a681823aca47f2b22e0d

SHA512
276675b8cad909fb488a9e42f916b481b6c60f3439a2f5b0636e067674064b4d480e3bbfe7165dd3082f59d3bc6a7102c4e23803ecb76f93f5b0b1ec4dd51c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240662328.exe

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240662328.exe

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240662421.exe

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240662468.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.0MB

MD5
6464d52b2070f48c21e68ca8805f66a4

SHA1
252635dabdc882a5fb5862cb8babb4eb8f745cd2

SHA256
965d01aadab2dbedbeb9dcb33fefe21389628264678efbd46105c52749845db6

SHA512
5995a1a980b6ed9a7d89b55ca3aba519765db8c2b38b27a66337d7482d7c277b7764ed554ac69847aab19a737b0c9f2a5ad82f9ebeca6d2dd71e556174c15dae

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.0MB

MD5
07f57eec4a6fc1a33c6637e3e6fad77c

SHA1
20708b1e6c5c37613169473ee3353c95893210a3

SHA256
ade264bf24d9e797940a518241fb801f48fbd7b1bf36204da16bcffbc624b0a9

SHA512
4c082c8cff59df232fdef28e12e25cd7dc205ed7daf097d6820914def4eb96482a9099e32de30ee193fb31e699fbcd9ab54f045c6602e999e8ae5626f83c92cd

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
b63e6b3ed0035505f24c0a82eace0e46

SHA1
f18761bf46bfb3505904b7a0753f227658e6582b

SHA256
ad0a95f4436ad02de83024f2ddb5fb85c14056655d26a681823aca47f2b22e0d

SHA512
276675b8cad909fb488a9e42f916b481b6c60f3439a2f5b0636e067674064b4d480e3bbfe7165dd3082f59d3bc6a7102c4e23803ecb76f93f5b0b1ec4dd51c48

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.2MB

MD5
b63e6b3ed0035505f24c0a82eace0e46

SHA1
f18761bf46bfb3505904b7a0753f227658e6582b

SHA256
ad0a95f4436ad02de83024f2ddb5fb85c14056655d26a681823aca47f2b22e0d

SHA512
276675b8cad909fb488a9e42f916b481b6c60f3439a2f5b0636e067674064b4d480e3bbfe7165dd3082f59d3bc6a7102c4e23803ecb76f93f5b0b1ec4dd51c48

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
6.2MB

MD5
b3a07a69ef17c5cfe66fc16e7b1abdb2

SHA1
748c0e5d3908c72ea5f032389ec6ec93d02106ab

SHA256
d7f7548ab0cc6969c0096c864edd5c852b6b872505307ba71f234c56c55ca9c6

SHA512
55b710f7a8cf152dbada500bed8e50a3e9f0b493dc83a484c359438abc8e2266b949506071391933a375a2e223fe96ec4f1f277ba75b8dbc23ab8db4987766b8

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
6.2MB

MD5
b3a07a69ef17c5cfe66fc16e7b1abdb2

SHA1
748c0e5d3908c72ea5f032389ec6ec93d02106ab

SHA256
d7f7548ab0cc6969c0096c864edd5c852b6b872505307ba71f234c56c55ca9c6

SHA512
55b710f7a8cf152dbada500bed8e50a3e9f0b493dc83a484c359438abc8e2266b949506071391933a375a2e223fe96ec4f1f277ba75b8dbc23ab8db4987766b8

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
6.2MB

MD5
b3a07a69ef17c5cfe66fc16e7b1abdb2

SHA1
748c0e5d3908c72ea5f032389ec6ec93d02106ab

SHA256
d7f7548ab0cc6969c0096c864edd5c852b6b872505307ba71f234c56c55ca9c6

SHA512
55b710f7a8cf152dbada500bed8e50a3e9f0b493dc83a484c359438abc8e2266b949506071391933a375a2e223fe96ec4f1f277ba75b8dbc23ab8db4987766b8

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
6.2MB

MD5
b3a07a69ef17c5cfe66fc16e7b1abdb2

SHA1
748c0e5d3908c72ea5f032389ec6ec93d02106ab

SHA256
d7f7548ab0cc6969c0096c864edd5c852b6b872505307ba71f234c56c55ca9c6

SHA512
55b710f7a8cf152dbada500bed8e50a3e9f0b493dc83a484c359438abc8e2266b949506071391933a375a2e223fe96ec4f1f277ba75b8dbc23ab8db4987766b8

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
6.2MB

MD5
b3a07a69ef17c5cfe66fc16e7b1abdb2

SHA1
748c0e5d3908c72ea5f032389ec6ec93d02106ab

SHA256
d7f7548ab0cc6969c0096c864edd5c852b6b872505307ba71f234c56c55ca9c6

SHA512
55b710f7a8cf152dbada500bed8e50a3e9f0b493dc83a484c359438abc8e2266b949506071391933a375a2e223fe96ec4f1f277ba75b8dbc23ab8db4987766b8

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
6.2MB

MD5
b3a07a69ef17c5cfe66fc16e7b1abdb2

SHA1
748c0e5d3908c72ea5f032389ec6ec93d02106ab

SHA256
d7f7548ab0cc6969c0096c864edd5c852b6b872505307ba71f234c56c55ca9c6

SHA512
55b710f7a8cf152dbada500bed8e50a3e9f0b493dc83a484c359438abc8e2266b949506071391933a375a2e223fe96ec4f1f277ba75b8dbc23ab8db4987766b8

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
memory/224-181-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/224-171-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/392-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/548-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/676-229-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/688-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/692-284-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/724-237-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/972-260-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/972-252-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1000-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1012-213-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1100-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1100-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1240-303-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1240-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1372-275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1372-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1440-271-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1528-218-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1528-215-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1764-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1820-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1936-168-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1936-160-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2304-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2352-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2548-246-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2548-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2548-236-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2744-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2744-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2804-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2924-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2924-281-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3100-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3428-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3428-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3452-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3452-184-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3452-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3452-202-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3772-196-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3772-185-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3836-147-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3836-154-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4128-132-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4128-139-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4200-256-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4200-266-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4220-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4248-145-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4304-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4400-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4420-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4636-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4644-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4752-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4752-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4824-155-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/4956-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5064-250-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5084-253-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5084-262-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download