83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c

Analysis

max time kernel
154s
max time network
218s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03-12-2022 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c.exe
Size

4.8MB
MD5

6c6363defccd56b8422d6cac8884d744
SHA1

f83d632bd30f53c2eed2b0983ce2544107c96bcf
SHA256

83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c
SHA512

3b84d224f9282da279165db04a8b5544e37e1b417be3409aa10e8feb3f99936efdd783e67986b1f7df212ea2253af9ba3d4a2492b967aa661d29c083fc6e5408
SSDEEP

24576:DDyTFtjeDyo1tjbDyTFtjeDyo1tjVDyTFtjeDyo1tjyDyTFtjeDyo1tjeDyTFtjQ:MtktQtkt2tktrtkt3tktDtktvtkt

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1800	tmp240613859.exe
3844	tmp240614156.exe
1468	tmp240615343.exe
3108	tmp240616046.exe
4720	tmp240616296.exe
2296	tmp240616406.exe
2108	tmp240616734.exe
4780	tmp240616843.exe
1544	tmp240617031.exe
3692	tmp240617187.exe
2636	tmp240617437.exe
2752	tmp240617531.exe
2520	tmp240617703.exe
4068	tmp240617937.exe
2176	notpad.exe
748	tmp240618437.exe
1864	tmp240618500.exe
740	notpad.exe
2216	tmp240618734.exe
2668	notpad.exe
1292	tmp240620921.exe
3168	tmp240621140.exe
4248	notpad.exe
4180	tmp240622000.exe
3052	tmp240621828.exe
1928	notpad.exe
1204	tmp240622218.exe
4228	tmp240622593.exe
1224	tmp240622890.exe
1788	notpad.exe
4276	tmp240623250.exe
4564	tmp240623625.exe
4028	notpad.exe
4268	tmp240623875.exe
2120	notpad.exe
1680	tmp240638500.exe
1648	tmp240631000.exe
3568	tmp240642031.exe
812	notpad.exe
4936	tmp240642843.exe
940	tmp240642875.exe
4824	notpad.exe
2032	tmp240643140.exe
2264	tmp240643171.exe
3004	notpad.exe
3912	tmp240643437.exe
888	tmp240643484.exe
2492	notpad.exe
1356	tmp240643687.exe
4656	tmp240643843.exe
5028	notpad.exe
5096	tmp240644062.exe
4044	tmp240644078.exe
1544	notpad.exe
3388	tmp240644281.exe
3692	tmp240644437.exe
4680	notpad.exe
3924	tmp240644609.exe
4652	notpad.exe
4232	tmp240644625.exe
4148	tmp240644781.exe
4860	tmp240645031.exe
2300	notpad.exe
2584	tmp240645562.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1280-132-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e6d-138.dat	upx
behavioral2/memory/1280-139-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e6d-137.dat	upx
behavioral2/memory/3844-140-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e7c-146.dat	upx
behavioral2/memory/3844-147-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e7c-145.dat	upx
behavioral2/files/0x0006000000022e7f-152.dat	upx
behavioral2/memory/3108-153-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e7f-154.dat	upx
behavioral2/memory/2296-155-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e82-161.dat	upx
behavioral2/memory/2296-162-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e82-160.dat	upx
behavioral2/files/0x0006000000022e85-168.dat	upx
behavioral2/memory/4780-169-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e85-167.dat	upx
behavioral2/files/0x0006000000022e87-174.dat	upx
behavioral2/memory/3692-176-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e87-175.dat	upx
behavioral2/memory/2752-177-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2752-183-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e79-187.dat	upx
behavioral2/memory/2176-195-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e79-197.dat	upx
behavioral2/files/0x0007000000022e71-191.dat	upx
behavioral2/files/0x0007000000022e79-186.dat	upx
behavioral2/memory/740-198-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e71-203.dat	upx
behavioral2/files/0x0007000000022e79-206.dat	upx
behavioral2/files/0x0007000000022e71-213.dat	upx
behavioral2/files/0x0007000000022e79-216.dat	upx
behavioral2/memory/4248-217-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2668-218-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e71-224.dat	upx
behavioral2/memory/740-210-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2668-226-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4248-231-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e79-229.dat	upx
behavioral2/files/0x0007000000022e71-235.dat	upx
behavioral2/memory/1928-237-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1928-240-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e79-242.dat	upx
behavioral2/files/0x0007000000022e71-246.dat	upx
behavioral2/memory/1788-249-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4028-251-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4028-253-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2120-255-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4028-258-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2120-260-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/812-264-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4824-268-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3004-272-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2492-277-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5028-280-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1544-282-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1544-285-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4680-290-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4652-293-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4652-294-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2300-297-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3908-298-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4952-299-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240693265.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240696250.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240710562.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240735859.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240739906.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240622593.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240652859.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240687218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240692687.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240693734.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240710750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240643437.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240653734.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240684687.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240734453.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240740218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240646046.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240648859.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240685203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240685437.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240694765.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240711296.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240737125.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240742140.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240642843.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240648453.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240694171.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240695843.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240696468.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240613859.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240618734.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240644281.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240735375.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240622000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240644062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240646390.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240736890.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240738937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240740421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240692218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240711156.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240736296.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240643140.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240644609.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240645562.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240697093.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240709984.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240618437.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240712453.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240737562.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240623250.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240653156.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240653453.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240695062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240710203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240734656.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240736593.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240740593.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240741843.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240638500.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240643687.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240644781.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240710984.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240736125.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notpad.exe	tmp240712453.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240735859.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240742140.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240734765.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240696468.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240711296.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240737125.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240739906.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240618437.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240638500.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240653453.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240687218.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240653453.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240685484.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240648859.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240653156.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240692687.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240710562.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240618437.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240622593.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240623250.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240646046.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240741609.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240684687.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240741359.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240737562.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240618734.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240644062.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240648453.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240711156.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240644609.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240645562.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240736125.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240742375.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240642843.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240644281.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240740593.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240740421.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240621140.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240709984.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240734656.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240613859.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240622593.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240644062.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240736593.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240693734.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240741359.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240741843.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240621140.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240696468.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240613859.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240644609.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240644781.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240737406.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240712453.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240621140.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240623250.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240694171.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240697093.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240642843.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240644281.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240646390.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240648859.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240648453.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4660	4068	WerFault.exe	96

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240652859.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240696468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240711296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240737406.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240735859.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240740593.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240618437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240644281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240685484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240696250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240696671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240710984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240712453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240736296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240643437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240648859.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240685437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240695062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240710203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240739906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240697093.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240711156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240734656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240736890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240621140.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240622000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240623875.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240653734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240737125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240653156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240693265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240694765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240737562.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240710562.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240736593.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240741609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240613859.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240638500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240653453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240622593.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240648453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240709984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240741359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240742375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240684687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240685203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240710750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240734453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240735375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240735625.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240741843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240618734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240642843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240643140.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240687218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240694171.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240692687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240736125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240740421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240643687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240644609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240645562.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240646390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240692218.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 1800	1280	83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c.exe	81
PID 1280 wrote to memory of 1800	1280	83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c.exe	81
PID 1280 wrote to memory of 1800	1280	83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c.exe	81
PID 1280 wrote to memory of 3844	1280	83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c.exe	82
PID 1280 wrote to memory of 3844	1280	83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c.exe	82
PID 1280 wrote to memory of 3844	1280	83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c.exe	82
PID 3844 wrote to memory of 1468	3844	tmp240614156.exe	83
PID 3844 wrote to memory of 1468	3844	tmp240614156.exe	83
PID 3844 wrote to memory of 1468	3844	tmp240614156.exe	83
PID 3844 wrote to memory of 3108	3844	tmp240614156.exe	85
PID 3844 wrote to memory of 3108	3844	tmp240614156.exe	85
PID 3844 wrote to memory of 3108	3844	tmp240614156.exe	85
PID 3108 wrote to memory of 4720	3108	tmp240616046.exe	84
PID 3108 wrote to memory of 4720	3108	tmp240616046.exe	84
PID 3108 wrote to memory of 4720	3108	tmp240616046.exe	84
PID 3108 wrote to memory of 2296	3108	tmp240616046.exe	86
PID 3108 wrote to memory of 2296	3108	tmp240616046.exe	86
PID 3108 wrote to memory of 2296	3108	tmp240616046.exe	86
PID 2296 wrote to memory of 2108	2296	tmp240616406.exe	87
PID 2296 wrote to memory of 2108	2296	tmp240616406.exe	87
PID 2296 wrote to memory of 2108	2296	tmp240616406.exe	87
PID 2296 wrote to memory of 4780	2296	tmp240616406.exe	93
PID 2296 wrote to memory of 4780	2296	tmp240616406.exe	93
PID 2296 wrote to memory of 4780	2296	tmp240616406.exe	93
PID 4780 wrote to memory of 1544	4780	tmp240616843.exe	88
PID 4780 wrote to memory of 1544	4780	tmp240616843.exe	88
PID 4780 wrote to memory of 1544	4780	tmp240616843.exe	88
PID 4780 wrote to memory of 3692	4780	tmp240616843.exe	89
PID 4780 wrote to memory of 3692	4780	tmp240616843.exe	89
PID 4780 wrote to memory of 3692	4780	tmp240616843.exe	89
PID 3692 wrote to memory of 2636	3692	tmp240617187.exe	90
PID 3692 wrote to memory of 2636	3692	tmp240617187.exe	90
PID 3692 wrote to memory of 2636	3692	tmp240617187.exe	90
PID 3692 wrote to memory of 2752	3692	tmp240617187.exe	91
PID 3692 wrote to memory of 2752	3692	tmp240617187.exe	91
PID 3692 wrote to memory of 2752	3692	tmp240617187.exe	91
PID 2752 wrote to memory of 2520	2752	tmp240617531.exe	92
PID 2752 wrote to memory of 2520	2752	tmp240617531.exe	92
PID 2752 wrote to memory of 2520	2752	tmp240617531.exe	92
PID 2752 wrote to memory of 4068	2752	tmp240617531.exe	96
PID 2752 wrote to memory of 4068	2752	tmp240617531.exe	96
PID 2752 wrote to memory of 4068	2752	tmp240617531.exe	96
PID 1800 wrote to memory of 2176	1800	tmp240613859.exe	101
PID 1800 wrote to memory of 2176	1800	tmp240613859.exe	101
PID 1800 wrote to memory of 2176	1800	tmp240613859.exe	101
PID 2176 wrote to memory of 748	2176	notpad.exe	97
PID 2176 wrote to memory of 748	2176	notpad.exe	97
PID 2176 wrote to memory of 748	2176	notpad.exe	97
PID 2176 wrote to memory of 1864	2176	notpad.exe	99
PID 2176 wrote to memory of 1864	2176	notpad.exe	99
PID 2176 wrote to memory of 1864	2176	notpad.exe	99
PID 748 wrote to memory of 740	748	tmp240618437.exe	98
PID 748 wrote to memory of 740	748	tmp240618437.exe	98
PID 748 wrote to memory of 740	748	tmp240618437.exe	98
PID 740 wrote to memory of 2216	740	notpad.exe	103
PID 740 wrote to memory of 2216	740	notpad.exe	103
PID 740 wrote to memory of 2216	740	notpad.exe	103
PID 2216 wrote to memory of 2668	2216	tmp240618734.exe	104
PID 2216 wrote to memory of 2668	2216	tmp240618734.exe	104
PID 2216 wrote to memory of 2668	2216	tmp240618734.exe	104
PID 740 wrote to memory of 1292	740	notpad.exe	105
PID 740 wrote to memory of 1292	740	notpad.exe	105
PID 740 wrote to memory of 1292	740	notpad.exe	105
PID 2668 wrote to memory of 3168	2668	notpad.exe	110

C:\Users\Admin\AppData\Local\Temp\83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c.exe
"C:\Users\Admin\AppData\Local\Temp\83a50597a8db5f629f1ce1c091a4e8325562485a23f130ca2e57fe5ad0362d1c.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Users\Admin\AppData\Local\Temp\tmp240613859.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240613859.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1800
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2176
- C:\Users\Admin\AppData\Local\Temp\tmp240614156.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240614156.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Users\Admin\AppData\Local\Temp\tmp240615343.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240615343.exe
    3⤵
    - Executes dropped EXE
    PID:1468
- - C:\Users\Admin\AppData\Local\Temp\tmp240616046.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240616046.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3108
  - - C:\Users\Admin\AppData\Local\Temp\tmp240616406.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240616406.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2296
    - - C:\Users\Admin\AppData\Local\Temp\tmp240616734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616734.exe
        5⤵
        Executes dropped EXE
        
        PID:2108
    - - C:\Users\Admin\AppData\Local\Temp\tmp240616843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616843.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4780

C:\Users\Admin\AppData\Local\Temp\tmp240616296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616296.exe
1⤵
- Executes dropped EXE
PID:4720

C:\Users\Admin\AppData\Local\Temp\tmp240617031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617031.exe
1⤵
- Executes dropped EXE
PID:1544

C:\Users\Admin\AppData\Local\Temp\tmp240617187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617187.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3692
- C:\Users\Admin\AppData\Local\Temp\tmp240617437.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240617437.exe
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\Users\Admin\AppData\Local\Temp\tmp240617531.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240617531.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\tmp240617703.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240617703.exe
    3⤵
    - Executes dropped EXE
    PID:2520
- - C:\Users\Admin\AppData\Local\Temp\tmp240617937.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240617937.exe
    3⤵
    - Executes dropped EXE
    PID:4068
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4068 -s 224
      4⤵
      Program crash
      PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4068 -ip 4068
1⤵
PID:4860

C:\Users\Admin\AppData\Local\Temp\tmp240618437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618437.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:748
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Users\Admin\AppData\Local\Temp\tmp240618734.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240618734.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2216
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Users\Admin\AppData\Local\Temp\tmp240621828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621828.exe
        5⤵
        Executes dropped EXE
        
        PID:3052
    - - C:\Users\Admin\AppData\Local\Temp\tmp240621140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621140.exe
        5⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3168
- - C:\Users\Admin\AppData\Local\Temp\tmp240620921.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240620921.exe
    3⤵
    - Executes dropped EXE
    PID:1292

C:\Users\Admin\AppData\Local\Temp\tmp240618500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618500.exe
1⤵
- Executes dropped EXE
PID:1864

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:4248
- C:\Users\Admin\AppData\Local\Temp\tmp240622000.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240622000.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies registry class
  PID:4180
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    PID:1928
  - - C:\Users\Admin\AppData\Local\Temp\tmp240622593.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240622593.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in System32 directory
      Modifies registry class
      PID:4228
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        
        PID:1788
      - C:\Users\Admin\AppData\Local\Temp\tmp240623250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623250.exe
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4276
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Executes dropped EXE
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623875.exe
        8⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4268
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638500.exe
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1680
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        Executes dropped EXE
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642843.exe
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4936
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        Executes dropped EXE
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643140.exe
        14⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:2032
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        Executes dropped EXE
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643437.exe
        16⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643687.exe
        18⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:1356
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        Executes dropped EXE
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644062.exe
        20⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5096
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        Executes dropped EXE
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644281.exe
        22⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        Executes dropped EXE
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644609.exe
        24⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3924
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        Executes dropped EXE
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644781.exe
        26⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4148
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        Executes dropped EXE
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645562.exe
        28⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2584
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646046.exe
        30⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4356
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646390.exe
        32⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648453.exe
        34⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1988
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648859.exe
        36⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652859.exe
        38⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4168
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653156.exe
        40⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653453.exe
        42⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653734.exe
        44⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684687.exe
        46⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685203.exe
        48⤵
        Checks computer location settings
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685437.exe
        50⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3388
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685671.exe
        52⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687000.exe
        52⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687078.exe
        53⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687109.exe
        53⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687171.exe
        54⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687203.exe
        54⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685453.exe
        50⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685484.exe
        51⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4652
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        52⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687218.exe
        53⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691687.exe
        55⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692515.exe
        55⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693093.exe
        56⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693140.exe
        56⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693265.exe
        57⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693828.exe
        59⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693968.exe
        59⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694062.exe
        60⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694109.exe
        60⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694171.exe
        61⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        62⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694453.exe
        63⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694796.exe
        63⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694890.exe
        64⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694906.exe
        64⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695062.exe
        65⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        66⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695843.exe
        67⤵
        Checks computer location settings
        
        PID:4888
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        68⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696265.exe
        69⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696281.exe
        69⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696343.exe
        70⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696359.exe
        70⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696390.exe
        71⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696406.exe
        71⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696015.exe
        67⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696140.exe
        68⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696156.exe
        68⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696250.exe
        69⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1272
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        70⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696468.exe
        71⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2572
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        72⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696671.exe
        73⤵
        Modifies registry class
        
        PID:4448
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        74⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709734.exe
        75⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709828.exe
        75⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709875.exe
        76⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709921.exe
        76⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709984.exe
        77⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2172
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        78⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710203.exe
        79⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        80⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710562.exe
        81⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        82⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710765.exe
        83⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710812.exe
        83⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710890.exe
        84⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710921.exe
        85⤵
        
        PID:204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710937.exe
        85⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710859.exe
        84⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710593.exe
        81⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710671.exe
        82⤵
        
        PID:2876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710718.exe
        82⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710750.exe
        83⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        84⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710984.exe
        85⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        86⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711156.exe
        87⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2176
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        88⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711343.exe
        89⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712015.exe
        89⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712218.exe
        90⤵
        
        PID:1292
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        91⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712531.exe
        92⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732343.exe
        92⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240733734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240733734.exe
        93⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734500.exe
        93⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734625.exe
        94⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734734.exe
        94⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712250.exe
        90⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712328.exe
        91⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712406.exe
        91⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711203.exe
        87⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711250.exe
        88⤵
        
        PID:720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711265.exe
        88⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711296.exe
        89⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        90⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712234.exe
        91⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712281.exe
        91⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712359.exe
        92⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712390.exe
        92⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712453.exe
        93⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2528
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        94⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734468.exe
        95⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734546.exe
        96⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734609.exe
        96⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734765.exe
        97⤵
        Drops file in System32 directory
        
        PID:2620
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        98⤵
        
        PID:32
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735421.exe
        99⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735437.exe
        99⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735515.exe
        100⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735578.exe
        100⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735625.exe
        101⤵
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        102⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736000.exe
        103⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736062.exe
        103⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736125.exe
        104⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3464
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        105⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736343.exe
        106⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736406.exe
        106⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736531.exe
        107⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736609.exe
        108⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736671.exe
        108⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736484.exe
        107⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736156.exe
        104⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736218.exe
        105⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736281.exe
        105⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735656.exe
        101⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735109.exe
        97⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734453.exe
        95⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4868
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        96⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734656.exe
        97⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        98⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734906.exe
        99⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735281.exe
        99⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735375.exe
        100⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1844
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        101⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735671.exe
        102⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735750.exe
        102⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735859.exe
        103⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3880
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        104⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736171.exe
        105⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736203.exe
        105⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736296.exe
        106⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3612
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        107⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736593.exe
        108⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4728
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        109⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736890.exe
        110⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        111⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240737125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240737125.exe
        112⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:996
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        113⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240737406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240737406.exe
        114⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1184
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        115⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240737562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240737562.exe
        116⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2372
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        117⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240738937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240738937.exe
        118⤵
        Checks computer location settings
        
        PID:5008
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        119⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240739781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240739781.exe
        120⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740000.exe
        120⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740062.exe
        121⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740125.exe
        121⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740218.exe
        122⤵
        Checks computer location settings
        
        PID:4708
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        123⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740421.exe
        124⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        125⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740593.exe
        126⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        127⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741359.exe
        128⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4544
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        129⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741609.exe
        130⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1768
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        131⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741843.exe
        132⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3848
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        133⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742140.exe
        134⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5032
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        135⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742375.exe
        136⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4112
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        137⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742390.exe
        136⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742421.exe
        137⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742437.exe
        137⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742484.exe
        138⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742500.exe
        138⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742156.exe
        134⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742203.exe
        135⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742218.exe
        135⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742265.exe
        136⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742281.exe
        136⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741859.exe
        132⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741906.exe
        133⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741937.exe
        133⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741984.exe
        134⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240742031.exe
        134⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741625.exe
        130⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741656.exe
        131⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741671.exe
        131⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741718.exe
        132⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741734.exe
        132⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741375.exe
        128⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741406.exe
        129⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741421.exe
        129⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741500.exe
        130⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741515.exe
        130⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740828.exe
        126⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740890.exe
        127⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741125.exe
        127⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741218.exe
        128⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741234.exe
        128⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740437.exe
        124⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740484.exe
        125⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740843.exe
        125⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740906.exe
        126⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240741171.exe
        126⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740234.exe
        122⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240738968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240738968.exe
        118⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240739046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240739046.exe
        119⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240739703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240739703.exe
        119⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240739906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240739906.exe
        120⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        121⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740250.exe
        122⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740281.exe
        122⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740328.exe
        123⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740343.exe
        123⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740375.exe
        124⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740390.exe
        124⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240740031.exe
        120⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240738671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240738671.exe
        116⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240738765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240738765.exe
        117⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240738796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240738796.exe
        117⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240738875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240738875.exe
        118⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240738921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240738921.exe
        118⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240737421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240737421.exe
        114⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240738453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240738453.exe
        115⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240738718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240738718.exe
        115⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240738781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240738781.exe
        116⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240738890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240738890.exe
        116⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240737140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240737140.exe
        112⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240737156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240737156.exe
        113⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240737234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240737234.exe
        113⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240737312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240737312.exe
        114⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240737359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240737359.exe
        114⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736937.exe
        110⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736984.exe
        111⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240737031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240737031.exe
        111⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240737062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240737062.exe
        112⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240737093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240737093.exe
        112⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736625.exe
        108⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736750.exe
        109⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736781.exe
        109⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736843.exe
        110⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736859.exe
        110⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736359.exe
        106⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736468.exe
        107⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240736562.exe
        107⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735890.exe
        103⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735921.exe
        104⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735968.exe
        104⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735484.exe
        100⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735546.exe
        101⤵
        
        PID:1352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735609.exe
        101⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734687.exe
        97⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735156.exe
        98⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735187.exe
        98⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735312.exe
        99⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240735296.exe
        99⤵
        
        PID:420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732281.exe
        93⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712000.exe
        89⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711000.exe
        85⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711046.exe
        86⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711062.exe
        86⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711093.exe
        87⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711125.exe
        87⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710781.exe
        83⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710218.exe
        79⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710500.exe
        80⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710531.exe
        80⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710578.exe
        81⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710625.exe
        81⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710031.exe
        77⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696906.exe
        73⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697015.exe
        74⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697046.exe
        74⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697093.exe
        75⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        76⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710015.exe
        77⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710062.exe
        77⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710109.exe
        78⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710140.exe
        78⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710187.exe
        79⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710421.exe
        79⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709781.exe
        75⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696484.exe
        71⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696859.exe
        72⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696921.exe
        72⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697031.exe
        73⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709718.exe
        73⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696296.exe
        69⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695250.exe
        65⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694234.exe
        61⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693578.exe
        57⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691484.exe
        53⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691562.exe
        54⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691578.exe
        54⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692218.exe
        55⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2400
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        56⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692687.exe
        57⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693328.exe
        59⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693671.exe
        59⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693734.exe
        60⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4324
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        61⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694218.exe
        62⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694296.exe
        62⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694343.exe
        63⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694406.exe
        63⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694765.exe
        64⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4204
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        65⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695031.exe
        66⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695265.exe
        66⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695609.exe
        67⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695640.exe
        67⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695687.exe
        68⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240695703.exe
        68⤵
        
        PID:204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694812.exe
        64⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693890.exe
        60⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694015.exe
        61⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694046.exe
        61⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693046.exe
        57⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693109.exe
        58⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693156.exe
        58⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693203.exe
        59⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693218.exe
        59⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692484.exe
        55⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686968.exe
        51⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687062.exe
        52⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687125.exe
        52⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685250.exe
        48⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685328.exe
        49⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685343.exe
        49⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685375.exe
        50⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685406.exe
        50⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685000.exe
        46⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685093.exe
        47⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685125.exe
        47⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685156.exe
        48⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685187.exe
        48⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654031.exe
        44⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654078.exe
        45⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654093.exe
        45⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654171.exe
        46⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654203.exe
        46⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653546.exe
        42⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653609.exe
        43⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653656.exe
        43⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654046.exe
        44⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654109.exe
        44⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653250.exe
        40⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653328.exe
        41⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653343.exe
        41⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653515.exe
        42⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653562.exe
        42⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652953.exe
        38⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653046.exe
        39⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653093.exe
        39⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653187.exe
        40⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653281.exe
        40⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649046.exe
        36⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651984.exe
        37⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652500.exe
        37⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648640.exe
        34⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652000.exe
        35⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652750.exe
        35⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646578.exe
        32⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646187.exe
        30⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645875.exe
        28⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645031.exe
        26⤵
        Executes dropped EXE
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644625.exe
        24⤵
        Executes dropped EXE
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644437.exe
        22⤵
        Executes dropped EXE
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644078.exe
        20⤵
        Executes dropped EXE
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643843.exe
        18⤵
        Executes dropped EXE
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643484.exe
        16⤵
        Executes dropped EXE
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643171.exe
        14⤵
        Executes dropped EXE
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642875.exe
        12⤵
        Executes dropped EXE
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642031.exe
        10⤵
        Executes dropped EXE
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631000.exe
        8⤵
        Executes dropped EXE
        
        PID:1648
      - C:\Users\Admin\AppData\Local\Temp\tmp240623625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623625.exe
        6⤵
        Executes dropped EXE
        
        PID:4564
  - - C:\Users\Admin\AppData\Local\Temp\tmp240622890.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240622890.exe
      4⤵
      Executes dropped EXE
      PID:1224
- C:\Users\Admin\AppData\Local\Temp\tmp240622218.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240622218.exe
  2⤵
  - Executes dropped EXE
  PID:1204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240613859.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240613859.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240614156.exe

Filesize
4.2MB

MD5
3a7afea71e821c09a0d5795f2ab17ffa

SHA1
b3483e3612e8384cc7ee298854f9b24df4fc8887

SHA256
3a783dc4c33984f15aa8377058f1f4b82691b7db193f9f85b70d450cf20e281d

SHA512
cb62d85d5a47242d84c0096fe06f2a430902ef6e2022d315971d99a3c891bfa1fca9c63743e51e351939d6a1f2037250b2ca7491365d8cb335cf502a868531b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240614156.exe

Filesize
4.2MB

MD5
3a7afea71e821c09a0d5795f2ab17ffa

SHA1
b3483e3612e8384cc7ee298854f9b24df4fc8887

SHA256
3a783dc4c33984f15aa8377058f1f4b82691b7db193f9f85b70d450cf20e281d

SHA512
cb62d85d5a47242d84c0096fe06f2a430902ef6e2022d315971d99a3c891bfa1fca9c63743e51e351939d6a1f2037250b2ca7491365d8cb335cf502a868531b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240615343.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240615343.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240616046.exe

Filesize
3.5MB

MD5
4e60f9dd64f7bea911e27c35927914db

SHA1
a15831b2bd078d067f6f6bcad0544b87e606ff72

SHA256
c7b1e79d05eea50a897196732c2513321e9aa80f237ff867bf82205d33c7b890

SHA512
c4ff7326900dcc43fbfb909d6dc91218db4f9c0da0e24bf6626fe52f2f52a2c6c43b49af951b03e19fdafeeb7f2b0795d59d86c8a992a35576e509a6fada9595

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240616046.exe

Filesize
3.5MB

MD5
4e60f9dd64f7bea911e27c35927914db

SHA1
a15831b2bd078d067f6f6bcad0544b87e606ff72

SHA256
c7b1e79d05eea50a897196732c2513321e9aa80f237ff867bf82205d33c7b890

SHA512
c4ff7326900dcc43fbfb909d6dc91218db4f9c0da0e24bf6626fe52f2f52a2c6c43b49af951b03e19fdafeeb7f2b0795d59d86c8a992a35576e509a6fada9595

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240616296.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240616296.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240616406.exe

Filesize
2.8MB

MD5
07207c6449dcdb2e9cd6de4fd45e2197

SHA1
1de0c57b1d3a09064a93ce7b71ec743a76b6f769

SHA256
557622d2efef3914db91c1cba10876b2f5728d5c59bebfc5d562adb34c2019cb

SHA512
f013db719b541da73de6cb5dd3e7fee28a3c5f84c56535124f90927bac618ade2cf826e999a17489124abe4c680feee707a932a7c8f6cf1b662f45c86e4173bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240616406.exe

Filesize
2.8MB

MD5
07207c6449dcdb2e9cd6de4fd45e2197

SHA1
1de0c57b1d3a09064a93ce7b71ec743a76b6f769

SHA256
557622d2efef3914db91c1cba10876b2f5728d5c59bebfc5d562adb34c2019cb

SHA512
f013db719b541da73de6cb5dd3e7fee28a3c5f84c56535124f90927bac618ade2cf826e999a17489124abe4c680feee707a932a7c8f6cf1b662f45c86e4173bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240616734.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240616734.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240616843.exe

Filesize
2.1MB

MD5
097f3ea907670bed31599cfd655ee348

SHA1
cb7eed08824f8786da069a6c46d647a951ff8a4f

SHA256
8215c6b64c22424d2d657506a30c8d93c87deb115e6dbf779cafd25054763745

SHA512
257ad13a9e49d0fde64e315e0317c8fbc6c6668d24948280c7b709179467790d6d2ca9b93c474d09683b0a3e103a0bafee9396636040e101b04f1d40a1d96a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240616843.exe

Filesize
2.1MB

MD5
097f3ea907670bed31599cfd655ee348

SHA1
cb7eed08824f8786da069a6c46d647a951ff8a4f

SHA256
8215c6b64c22424d2d657506a30c8d93c87deb115e6dbf779cafd25054763745

SHA512
257ad13a9e49d0fde64e315e0317c8fbc6c6668d24948280c7b709179467790d6d2ca9b93c474d09683b0a3e103a0bafee9396636040e101b04f1d40a1d96a0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240617031.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240617031.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240617187.exe

Filesize
1.5MB

MD5
1744564400bb38e7615e051789b0adca

SHA1
85a27508e97f59e25b70535b8b4f8868710f685c

SHA256
abd6f5240021b2f3a4041eca66630df7601de507c803455bb3c9387ae0cd79e7

SHA512
b9483d6d291a56954a1eb1b189566c3fb50ef0551268901b4ec5268521bfea5bfe4e77b56983adafa3a2162a02b98457c87a79f14121ae6ae7e0ffc92cc527b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240617187.exe

Filesize
1.5MB

MD5
1744564400bb38e7615e051789b0adca

SHA1
85a27508e97f59e25b70535b8b4f8868710f685c

SHA256
abd6f5240021b2f3a4041eca66630df7601de507c803455bb3c9387ae0cd79e7

SHA512
b9483d6d291a56954a1eb1b189566c3fb50ef0551268901b4ec5268521bfea5bfe4e77b56983adafa3a2162a02b98457c87a79f14121ae6ae7e0ffc92cc527b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240617437.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240617437.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240617531.exe

Filesize
822KB

MD5
e1b71132211d8f10ec4dd48457e08199

SHA1
50d2c7d01f8d5651ca0d032dd1049c96996cd4ab

SHA256
be59cde6bcffa69297595263489ea3c8a96004886e959abb3bf60bb0f5e363c1

SHA512
b6d90d6a30f9adec4969b994e59e615d052d67bad4dbe3696ec8e7b68f4c5999ee4937828640c01b30945cd8045b1f77ddab686d88914ae038b341a95ac8f9be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240617531.exe

Filesize
822KB

MD5
e1b71132211d8f10ec4dd48457e08199

SHA1
50d2c7d01f8d5651ca0d032dd1049c96996cd4ab

SHA256
be59cde6bcffa69297595263489ea3c8a96004886e959abb3bf60bb0f5e363c1

SHA512
b6d90d6a30f9adec4969b994e59e615d052d67bad4dbe3696ec8e7b68f4c5999ee4937828640c01b30945cd8045b1f77ddab686d88914ae038b341a95ac8f9be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240617703.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240617703.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240617937.exe

Filesize
136KB

MD5
18aca7c567303b7dfd873a0fe81345d2

SHA1
a7f160fe2c2a583fb0bdeeb78cf04ba6cf9bdf09

SHA256
5a134885052db8682994552f1ecab3cc75cd46dcea679a9940a2b7995cd9147d

SHA512
42b1d749adbc716832bb5e81e6a3987ac2cdc73e95aa683d02b755c4256b435fd929ecca62578f43f5bc28681101f2e9b20b17d68fb9f51cee0ad7c11f70f086

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240617937.exe

Filesize
136KB

MD5
18aca7c567303b7dfd873a0fe81345d2

SHA1
a7f160fe2c2a583fb0bdeeb78cf04ba6cf9bdf09

SHA256
5a134885052db8682994552f1ecab3cc75cd46dcea679a9940a2b7995cd9147d

SHA512
42b1d749adbc716832bb5e81e6a3987ac2cdc73e95aa683d02b755c4256b435fd929ecca62578f43f5bc28681101f2e9b20b17d68fb9f51cee0ad7c11f70f086

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240618437.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240618437.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240618500.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240618734.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240618734.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240620921.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240621140.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240621140.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240621828.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240622000.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240622000.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240622218.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240622593.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240622593.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240622890.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240623250.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240623250.exe

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
675KB

MD5
faf152aa69587a601c404d70a1b0e286

SHA1
e6ed276709251b9d08484d6752c3d736ab21852f

SHA256
21a2fecab84964dc6a36daccf0806687e3997e9c3e2e1f4644caf97e69853c4d

SHA512
3674deb8695f74398f8f71bae4a19c433fc02dd3074e4640fa81868f889f2a5d3f7fb8dbada7daa1eea74a6a47cd768c54adbe34e80a71d48106eb11a3faa815

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
848KB

MD5
060d697dda759a9ee55f664105f7b798

SHA1
86943077386d2132bde8428e5af4873461936b44

SHA256
a83adc142b2c6683203583dcf0e160ea1fef6418785dafbcc135410dc71d9dbb

SHA512
93deab59c1ca291026de27a42272135bf87aaf0ca4faae14d9ab41bb6491b612edfc4a477765c6877ad842fcb2f355e1809ca8a7b61e928045db6a677baa145b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
848KB

MD5
060d697dda759a9ee55f664105f7b798

SHA1
86943077386d2132bde8428e5af4873461936b44

SHA256
a83adc142b2c6683203583dcf0e160ea1fef6418785dafbcc135410dc71d9dbb

SHA512
93deab59c1ca291026de27a42272135bf87aaf0ca4faae14d9ab41bb6491b612edfc4a477765c6877ad842fcb2f355e1809ca8a7b61e928045db6a677baa145b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
848KB

MD5
060d697dda759a9ee55f664105f7b798

SHA1
86943077386d2132bde8428e5af4873461936b44

SHA256
a83adc142b2c6683203583dcf0e160ea1fef6418785dafbcc135410dc71d9dbb

SHA512
93deab59c1ca291026de27a42272135bf87aaf0ca4faae14d9ab41bb6491b612edfc4a477765c6877ad842fcb2f355e1809ca8a7b61e928045db6a677baa145b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
848KB

MD5
060d697dda759a9ee55f664105f7b798

SHA1
86943077386d2132bde8428e5af4873461936b44

SHA256
a83adc142b2c6683203583dcf0e160ea1fef6418785dafbcc135410dc71d9dbb

SHA512
93deab59c1ca291026de27a42272135bf87aaf0ca4faae14d9ab41bb6491b612edfc4a477765c6877ad842fcb2f355e1809ca8a7b61e928045db6a677baa145b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
848KB

MD5
060d697dda759a9ee55f664105f7b798

SHA1
86943077386d2132bde8428e5af4873461936b44

SHA256
a83adc142b2c6683203583dcf0e160ea1fef6418785dafbcc135410dc71d9dbb

SHA512
93deab59c1ca291026de27a42272135bf87aaf0ca4faae14d9ab41bb6491b612edfc4a477765c6877ad842fcb2f355e1809ca8a7b61e928045db6a677baa145b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
848KB

MD5
060d697dda759a9ee55f664105f7b798

SHA1
86943077386d2132bde8428e5af4873461936b44

SHA256
a83adc142b2c6683203583dcf0e160ea1fef6418785dafbcc135410dc71d9dbb

SHA512
93deab59c1ca291026de27a42272135bf87aaf0ca4faae14d9ab41bb6491b612edfc4a477765c6877ad842fcb2f355e1809ca8a7b61e928045db6a677baa145b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
848KB

MD5
060d697dda759a9ee55f664105f7b798

SHA1
86943077386d2132bde8428e5af4873461936b44

SHA256
a83adc142b2c6683203583dcf0e160ea1fef6418785dafbcc135410dc71d9dbb

SHA512
93deab59c1ca291026de27a42272135bf87aaf0ca4faae14d9ab41bb6491b612edfc4a477765c6877ad842fcb2f355e1809ca8a7b61e928045db6a677baa145b

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
memory/396-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/740-198-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/740-210-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/812-264-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1208-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1208-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1280-139-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1280-132-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1368-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1368-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1452-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1544-282-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1544-285-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1788-249-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1860-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1928-237-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1928-240-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2120-260-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2120-255-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2176-195-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2296-155-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2296-162-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2300-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2420-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2492-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2544-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2624-303-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2624-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2668-226-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2668-218-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2672-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2672-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2752-177-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2752-183-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3004-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3108-153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3312-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3568-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3692-176-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3712-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3844-140-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3844-147-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3908-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3984-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3984-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4028-253-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4028-258-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4028-251-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4064-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4064-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4068-199-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/4248-217-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4248-231-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4264-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4264-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4652-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4652-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4680-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4728-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4780-169-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4824-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4952-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4952-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5028-280-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download