7d880d96531f9998702b85c423adc031d69b244b38f3a67712b3bd500e347b98

Analysis

max time kernel
142s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 00:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7d880d96531f9998702b85c423adc031d69b244b38f3a67712b3bd500e347b98.exe
Size

6.6MB
MD5

09d87df8a58767dc79a5938317d42591
SHA1

cb27998de638b425f95fcabaa61bc7f508934e2c
SHA256

7d880d96531f9998702b85c423adc031d69b244b38f3a67712b3bd500e347b98
SHA512

d6a1aa68874696683d1bb9a3e1c51e8ea1f0c6290b6a77bb50d7d52dfd18594b447fe3f1435c53c1208557ba9002c945385100e493d47dbfbd9c7e3db81473e0
SSDEEP

98304:Dt5txtItqtjt5txtItqtCt5t5txtItqtjt5txtItqtCtMt:xDrmsRDrmsUDDrmsRDrmsUy

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2796	tmp240585937.exe
5072	tmp240586218.exe
1292	tmp240586406.exe
5040	tmp240586671.exe
1640	notpad.exe
2332	tmp240587515.exe
1944	tmp240588156.exe
4888	tmp240633140.exe
2520	tmp240594265.exe
3176	notpad.exe
3820	notpad.exe
380	tmp240594578.exe
812	tmp240594625.exe
216	tmp240634671.exe
3772	notpad.exe
3952	tmp240595234.exe
4092	notpad.exe
748	tmp240635390.exe
4624	tmp240598031.exe
4660	tmp240619281.exe
4044	tmp240598359.exe
2404	tmp240599703.exe
2080	notpad.exe
4204	notpad.exe
4808	tmp240635765.exe
5112	notpad.exe
2592	tmp240662812.exe
1108	tmp240602812.exe
4440	tmp240667640.exe
1092	tmp240603109.exe
3816	tmp240664953.exe
744	notpad.exe
3532	tmp240603640.exe
4868	tmp240606312.exe
5088	notpad.exe
4048	tmp240621218.exe
3128	tmp240608578.exe
4696	notpad.exe
4308	tmp240608828.exe
4588	tmp240648265.exe
4420	tmp240647593.exe
3680	tmp240609437.exe
3108	tmp240678875.exe
4468	notpad.exe
1312	tmp240653562.exe
4532	tmp240609796.exe
1776	notpad.exe
388	tmp240610187.exe
5036	notpad.exe
1292	tmp240610375.exe
3056	tmp240610437.exe
4932	tmp240610468.exe
3184	tmp240610593.exe
1464	tmp240681093.exe
1304	tmp240610765.exe
2028	notpad.exe
2196	tmp240655015.exe
2224	tmp240632906.exe
1672	notpad.exe
4888	tmp240633140.exe
3176	notpad.exe
856	tmp240611671.exe
3848	notpad.exe
4668	tmp240618187.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4512-132-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4512-139-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0002000000022df4-138.dat	upx
behavioral2/files/0x0002000000022df4-137.dat	upx
behavioral2/memory/5072-146-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022df9-148.dat	upx
behavioral2/files/0x0003000000022df9-149.dat	upx
behavioral2/memory/1640-150-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1640-158-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0002000000022df7-154.dat	upx
behavioral2/files/0x0003000000022df9-160.dat	upx
behavioral2/memory/4888-168-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022df9-170.dat	upx
behavioral2/memory/3820-178-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022df9-180.dat	upx
behavioral2/files/0x0002000000022df7-175.dat	upx
behavioral2/memory/216-181-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/216-189-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022df9-191.dat	upx
behavioral2/files/0x0002000000022df7-186.dat	upx
behavioral2/memory/4092-192-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0002000000022df7-165.dat	upx
behavioral2/memory/4092-200-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022df9-202.dat	upx
behavioral2/files/0x0002000000022df7-197.dat	upx
behavioral2/memory/4660-203-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4660-211-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022df9-213.dat	upx
behavioral2/files/0x0002000000022df7-208.dat	upx
behavioral2/memory/2080-214-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2080-222-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022df9-224.dat	upx
behavioral2/files/0x0002000000022df7-218.dat	upx
behavioral2/files/0x0002000000022df7-228.dat	upx
behavioral2/memory/5112-232-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022df9-234.dat	upx
behavioral2/memory/4440-243-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022df9-245.dat	upx
behavioral2/files/0x0002000000022df7-239.dat	upx
behavioral2/memory/4440-238-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/744-246-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/744-249-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5088-253-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4696-257-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4420-259-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4420-262-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3108-267-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2028-285-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2224-288-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3176-290-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3184-281-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5036-278-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/388-277-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/388-275-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5036-274-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4468-269-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3176-294-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3848-295-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4668-297-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4780-296-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2040-300-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1756-301-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4780-299-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4668-298-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 52 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240594265.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240693515.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240650796.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240652546.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240655062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240585937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240598359.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240603640.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240684359.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240653562.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240635156.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240643875.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240659703.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	notpad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240603109.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240621218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240608828.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240610375.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240678953.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240693140.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240633140.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240635656.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240647406.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240678875.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240698203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240707125.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240635390.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240655015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240619687.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240691750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240694062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240672812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240650718.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240697796.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240707218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240587515.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240594578.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	notpad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240662812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240655234.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240706156.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240611671.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240618968.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240620015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240693468.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240644250.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240663171.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240693937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240702390.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240609437.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240620765.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240620984.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240643875.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240659703.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240706156.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240594578.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240691750.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240691750.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240635156.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240620765.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240678953.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240633140.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240694062.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240603640.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240621218.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240653562.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240655015.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240610375.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240620015.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240678875.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240697796.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240598359.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240621218.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240609437.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240610375.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240707218.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240585937.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240693140.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240684359.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240698203.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240708015.exe
File created	C:\Windows\SysWOW64\fsb.tmp	tmp240585937.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240618968.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240618968.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240663171.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240608828.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240620984.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240655234.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240693515.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240619687.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240693140.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240635156.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240594578.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240635390.exe
File created	C:\Windows\SysWOW64\notpad.exe	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240693515.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240707125.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240644250.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240650796.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240655062.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240655062.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240672812.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240678875.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240697796.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240698203.exe
File created	C:\Windows\SysWOW64\notpad.exe-	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240635656.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240644250.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240655234.exe
File created	C:\Windows\SysWOW64\notpad.exe-	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240603109.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240603109.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240609437.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240585937.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240587515.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 53 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240691750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240643875.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240620015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240620765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240693140.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240698203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240655015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240633140.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240594265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240594578.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240610375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240693937.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240702390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240644250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240672812.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240650796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240655062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240662812.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240620984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240708015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240635390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240655234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240603640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240609437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240635656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240659703.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240707218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240653562.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240618968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240693468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240598359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240693515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240684359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240611671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240585937.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240635156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240650718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240707125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240587515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240619687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240663171.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240652546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240706156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240697796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240694062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240678875.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240608828.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240647406.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240603109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240621218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240678953.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4512 wrote to memory of 2796	4512	7d880d96531f9998702b85c423adc031d69b244b38f3a67712b3bd500e347b98.exe	80
PID 4512 wrote to memory of 2796	4512	7d880d96531f9998702b85c423adc031d69b244b38f3a67712b3bd500e347b98.exe	80
PID 4512 wrote to memory of 2796	4512	7d880d96531f9998702b85c423adc031d69b244b38f3a67712b3bd500e347b98.exe	80
PID 4512 wrote to memory of 5072	4512	7d880d96531f9998702b85c423adc031d69b244b38f3a67712b3bd500e347b98.exe	81
PID 4512 wrote to memory of 5072	4512	7d880d96531f9998702b85c423adc031d69b244b38f3a67712b3bd500e347b98.exe	81
PID 4512 wrote to memory of 5072	4512	7d880d96531f9998702b85c423adc031d69b244b38f3a67712b3bd500e347b98.exe	81
PID 5072 wrote to memory of 1292	5072	tmp240586218.exe	83
PID 5072 wrote to memory of 1292	5072	tmp240586218.exe	83
PID 5072 wrote to memory of 1292	5072	tmp240586218.exe	83
PID 5072 wrote to memory of 5040	5072	tmp240586218.exe	82
PID 5072 wrote to memory of 5040	5072	tmp240586218.exe	82
PID 5072 wrote to memory of 5040	5072	tmp240586218.exe	82
PID 2796 wrote to memory of 1640	2796	tmp240585937.exe	84
PID 2796 wrote to memory of 1640	2796	tmp240585937.exe	84
PID 2796 wrote to memory of 1640	2796	tmp240585937.exe	84
PID 1640 wrote to memory of 2332	1640	notpad.exe	86
PID 1640 wrote to memory of 2332	1640	notpad.exe	86
PID 1640 wrote to memory of 2332	1640	notpad.exe	86
PID 1640 wrote to memory of 1944	1640	notpad.exe	85
PID 1640 wrote to memory of 1944	1640	notpad.exe	85
PID 1640 wrote to memory of 1944	1640	notpad.exe	85
PID 2332 wrote to memory of 4888	2332	tmp240587515.exe	212
PID 2332 wrote to memory of 4888	2332	tmp240587515.exe	212
PID 2332 wrote to memory of 4888	2332	tmp240587515.exe	212
PID 4888 wrote to memory of 2520	4888	tmp240633140.exe	95
PID 4888 wrote to memory of 2520	4888	tmp240633140.exe	95
PID 4888 wrote to memory of 2520	4888	tmp240633140.exe	95
PID 4888 wrote to memory of 3176	4888	tmp240633140.exe	134
PID 4888 wrote to memory of 3176	4888	tmp240633140.exe	134
PID 4888 wrote to memory of 3176	4888	tmp240633140.exe	134
PID 2520 wrote to memory of 3820	2520	tmp240594265.exe	94
PID 2520 wrote to memory of 3820	2520	tmp240594265.exe	94
PID 2520 wrote to memory of 3820	2520	tmp240594265.exe	94
PID 3820 wrote to memory of 380	3820	notpad.exe	93
PID 3820 wrote to memory of 380	3820	notpad.exe	93
PID 3820 wrote to memory of 380	3820	notpad.exe	93
PID 3820 wrote to memory of 812	3820	notpad.exe	88
PID 3820 wrote to memory of 812	3820	notpad.exe	88
PID 3820 wrote to memory of 812	3820	notpad.exe	88
PID 380 wrote to memory of 216	380	tmp240594578.exe	219
PID 380 wrote to memory of 216	380	tmp240594578.exe	219
PID 380 wrote to memory of 216	380	tmp240594578.exe	219
PID 216 wrote to memory of 3772	216	tmp240634671.exe	234
PID 216 wrote to memory of 3772	216	tmp240634671.exe	234
PID 216 wrote to memory of 3772	216	tmp240634671.exe	234
PID 216 wrote to memory of 3952	216	tmp240634671.exe	91
PID 216 wrote to memory of 3952	216	tmp240634671.exe	91
PID 216 wrote to memory of 3952	216	tmp240634671.exe	91
PID 3772 wrote to memory of 4092	3772	notpad.exe	90
PID 3772 wrote to memory of 4092	3772	notpad.exe	90
PID 3772 wrote to memory of 4092	3772	notpad.exe	90
PID 4092 wrote to memory of 748	4092	notpad.exe	227
PID 4092 wrote to memory of 748	4092	notpad.exe	227
PID 4092 wrote to memory of 748	4092	notpad.exe	227
PID 4092 wrote to memory of 4624	4092	notpad.exe	99
PID 4092 wrote to memory of 4624	4092	notpad.exe	99
PID 4092 wrote to memory of 4624	4092	notpad.exe	99
PID 748 wrote to memory of 4660	748	tmp240635390.exe	154
PID 748 wrote to memory of 4660	748	tmp240635390.exe	154
PID 748 wrote to memory of 4660	748	tmp240635390.exe	154
PID 4660 wrote to memory of 4044	4660	tmp240619281.exe	104
PID 4660 wrote to memory of 4044	4660	tmp240619281.exe	104
PID 4660 wrote to memory of 4044	4660	tmp240619281.exe	104
PID 4660 wrote to memory of 2404	4660	tmp240619281.exe	102

C:\Users\Admin\AppData\Local\Temp\7d880d96531f9998702b85c423adc031d69b244b38f3a67712b3bd500e347b98.exe
"C:\Users\Admin\AppData\Local\Temp\7d880d96531f9998702b85c423adc031d69b244b38f3a67712b3bd500e347b98.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4512
- C:\Users\Admin\AppData\Local\Temp\tmp240585937.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240585937.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Users\Admin\AppData\Local\Temp\tmp240588156.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240588156.exe
      4⤵
      Executes dropped EXE
      PID:1944
  - - C:\Users\Admin\AppData\Local\Temp\tmp240587515.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240587515.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in System32 directory
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:4888
- C:\Users\Admin\AppData\Local\Temp\tmp240586218.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240586218.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5072
- - C:\Users\Admin\AppData\Local\Temp\tmp240586671.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240586671.exe
    3⤵
    - Executes dropped EXE
    PID:5040
- - C:\Users\Admin\AppData\Local\Temp\tmp240586406.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240586406.exe
    3⤵
    - Executes dropped EXE
    PID:1292

C:\Users\Admin\AppData\Local\Temp\tmp240594328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240594328.exe
1⤵
PID:3176

C:\Users\Admin\AppData\Local\Temp\tmp240594625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240594625.exe
1⤵
- Executes dropped EXE
PID:812

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:216
- C:\Users\Admin\AppData\Local\Temp\tmp240595234.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240595234.exe
  2⤵
  - Executes dropped EXE
  PID:3952
- C:\Users\Admin\AppData\Local\Temp\tmp240594953.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240594953.exe
  2⤵
  PID:3772
- - C:\Users\Admin\AppData\Local\Temp\tmp240635218.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240635218.exe
    3⤵
    PID:2680
  - - C:\Users\Admin\AppData\Local\Temp\tmp240635265.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240635265.exe
      4⤵
      PID:2348
  - - C:\Users\Admin\AppData\Local\Temp\tmp240635281.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240635281.exe
      4⤵
      PID:1684
- - C:\Users\Admin\AppData\Local\Temp\tmp240635156.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240635156.exe
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies registry class
    PID:1748

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Users\Admin\AppData\Local\Temp\tmp240595562.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240595562.exe
  2⤵
  PID:748
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:4660
  - - C:\Users\Admin\AppData\Local\Temp\tmp240599703.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240599703.exe
      4⤵
      Executes dropped EXE
      PID:2404
  - - C:\Users\Admin\AppData\Local\Temp\tmp240598359.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240598359.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in System32 directory
      Modifies registry class
      PID:4044
- C:\Users\Admin\AppData\Local\Temp\tmp240598031.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240598031.exe
  2⤵
  - Executes dropped EXE
  PID:4624

C:\Users\Admin\AppData\Local\Temp\tmp240594578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240594578.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:380
- C:\Users\Admin\AppData\Local\Temp\tmp240723265.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240723265.exe
  2⤵
  PID:2008

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3820

C:\Users\Admin\AppData\Local\Temp\tmp240594265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240594265.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:2080
- C:\Users\Admin\AppData\Local\Temp\tmp240600031.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240600031.exe
  2⤵
  PID:4204
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    PID:5112
  - - C:\Users\Admin\AppData\Local\Temp\tmp240602437.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240602437.exe
      4⤵
      PID:2592
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:4440
      - C:\Users\Admin\AppData\Local\Temp\tmp240603109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603109.exe
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Executes dropped EXE
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603640.exe
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3532
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608578.exe
        10⤵
        Executes dropped EXE
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608531.exe
        10⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606312.exe
        8⤵
        Executes dropped EXE
        
        PID:4868
      - C:\Users\Admin\AppData\Local\Temp\tmp240603343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603343.exe
        6⤵
        
        PID:3816
  - - C:\Users\Admin\AppData\Local\Temp\tmp240602812.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240602812.exe
      4⤵
      Executes dropped EXE
      PID:1108
  - - C:\Users\Admin\AppData\Local\Temp\tmp240723734.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240723734.exe
      4⤵
      PID:2160
    - - C:\Users\Admin\AppData\Local\Temp\tmp240724031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724031.exe
        5⤵
        
        PID:2640
    - - C:\Users\Admin\AppData\Local\Temp\tmp240727390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240727390.exe
        5⤵
        
        PID:3104
      - C:\Users\Admin\AppData\Local\Temp\tmp240732843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732843.exe
        6⤵
        
        PID:1332
  - - C:\Users\Admin\AppData\Local\Temp\tmp240723593.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240723593.exe
      4⤵
      PID:4684
- C:\Users\Admin\AppData\Local\Temp\tmp240602015.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240602015.exe
  2⤵
  PID:4808
- - C:\Users\Admin\AppData\Local\Temp\tmp240635843.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240635843.exe
    3⤵
    PID:3572
- - C:\Users\Admin\AppData\Local\Temp\tmp240635890.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240635890.exe
    3⤵
    PID:4548
  - - C:\Users\Admin\AppData\Local\Temp\tmp240636031.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240636031.exe
      4⤵
      PID:3780
    - - C:\Users\Admin\AppData\Local\Temp\tmp240643890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643890.exe
        5⤵
        
        PID:4108
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645203.exe
        7⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647890.exe
        9⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648453.exe
        9⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649875.exe
        10⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650687.exe
        10⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653562.exe
        11⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655218.exe
        11⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662703.exe
        12⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664953.exe
        12⤵
        Executes dropped EXE
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672812.exe
        13⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678953.exe
        13⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647593.exe
        7⤵
        Executes dropped EXE
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650656.exe
        8⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652343.exe
        8⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655281.exe
        9⤵
        
        PID:260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662609.exe
        9⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665125.exe
        10⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669640.exe
        10⤵
        
        PID:4708
    - - C:\Users\Admin\AppData\Local\Temp\tmp240644890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644890.exe
        5⤵
        
        PID:1560

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:4696
- C:\Users\Admin\AppData\Local\Temp\tmp240609125.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240609125.exe
  2⤵
  PID:4588
- C:\Users\Admin\AppData\Local\Temp\tmp240608828.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240608828.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  PID:4308
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:4420

C:\Users\Admin\AppData\Local\Temp\tmp240609578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240609578.exe
1⤵
PID:3108
- C:\Users\Admin\AppData\Local\Temp\tmp240609656.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240609656.exe
  2⤵
  PID:1312
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    PID:5036
- C:\Users\Admin\AppData\Local\Temp\tmp240610015.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240610015.exe
  2⤵
  PID:1776

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:4468
- C:\Users\Admin\AppData\Local\Temp\tmp240609796.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240609796.exe
  2⤵
  - Executes dropped EXE
  PID:4532
- C:\Users\Admin\AppData\Local\Temp\tmp240610187.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240610187.exe
  2⤵
  - Executes dropped EXE
  PID:388

C:\Users\Admin\AppData\Local\Temp\tmp240609437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240609437.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3680

C:\Users\Admin\AppData\Local\Temp\tmp240610375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610375.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:1292
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  PID:2028
- - C:\Users\Admin\AppData\Local\Temp\tmp240610937.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240610937.exe
    3⤵
    PID:2196
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      PID:3176
    - - C:\Users\Admin\AppData\Local\Temp\tmp240611671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611671.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:856
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        
        PID:3848
    - - C:\Users\Admin\AppData\Local\Temp\tmp240618187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618187.exe
        5⤵
        Executes dropped EXE
        
        PID:4668
- - C:\Users\Admin\AppData\Local\Temp\tmp240611000.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240611000.exe
    3⤵
    PID:2224
  - - C:\Users\Admin\AppData\Local\Temp\tmp240611187.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240611187.exe
      4⤵
      PID:4888
  - - C:\Users\Admin\AppData\Local\Temp\tmp240611109.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240611109.exe
      4⤵
      PID:1672

C:\Users\Admin\AppData\Local\Temp\tmp240610593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610593.exe
1⤵
- Executes dropped EXE
PID:3184
- C:\Users\Admin\AppData\Local\Temp\tmp240610687.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240610687.exe
  2⤵
  PID:1464
- C:\Users\Admin\AppData\Local\Temp\tmp240610765.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240610765.exe
  2⤵
  - Executes dropped EXE
  PID:1304

C:\Users\Admin\AppData\Local\Temp\tmp240610437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610437.exe
1⤵
- Executes dropped EXE
PID:3056

C:\Users\Admin\AppData\Local\Temp\tmp240610468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610468.exe
1⤵
- Executes dropped EXE
PID:4932

C:\Users\Admin\AppData\Local\Temp\tmp240618421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618421.exe
1⤵
PID:4148
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\tmp240618968.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240618968.exe
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies registry class
    PID:4680
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:3060
    - - C:\Users\Admin\AppData\Local\Temp\tmp240619718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619718.exe
        5⤵
        
        PID:2624
      - C:\Users\Admin\AppData\Local\Temp\tmp240619906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619906.exe
        6⤵
        
        PID:1456
      - C:\Users\Admin\AppData\Local\Temp\tmp240619968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619968.exe
        6⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620125.exe
        7⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620328.exe
        7⤵
        
        PID:984
- - C:\Users\Admin\AppData\Local\Temp\tmp240619062.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240619062.exe
    3⤵
    PID:1756
  - - C:\Users\Admin\AppData\Local\Temp\tmp240619109.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240619109.exe
      4⤵
      PID:1912
  - - C:\Users\Admin\AppData\Local\Temp\tmp240619281.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240619281.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4660

C:\Users\Admin\AppData\Local\Temp\tmp240618468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618468.exe
1⤵
PID:628

C:\Users\Admin\AppData\Local\Temp\tmp240618828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618828.exe
1⤵
PID:724

C:\Users\Admin\AppData\Local\Temp\tmp240619687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240619687.exe
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:1132
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:3780
- - C:\Users\Admin\AppData\Local\Temp\tmp240620015.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240620015.exe
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies registry class
    PID:4188
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:2248
    - - C:\Users\Admin\AppData\Local\Temp\tmp240620437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620437.exe
        5⤵
        
        PID:2592
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:2412
    - - C:\Users\Admin\AppData\Local\Temp\tmp240620500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620500.exe
        5⤵
        
        PID:1144
- - C:\Users\Admin\AppData\Local\Temp\tmp240620156.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240620156.exe
    3⤵
    PID:2808

C:\Users\Admin\AppData\Local\Temp\tmp240620515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240620515.exe
1⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\tmp240620781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240620781.exe
1⤵
PID:3244
- C:\Users\Admin\AppData\Local\Temp\tmp240620890.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240620890.exe
  2⤵
  PID:584
- C:\Users\Admin\AppData\Local\Temp\tmp240621015.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240621015.exe
  2⤵
  PID:3040

C:\Users\Admin\AppData\Local\Temp\tmp240621187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240621187.exe
1⤵
PID:3052
- C:\Users\Admin\AppData\Local\Temp\tmp240621406.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240621406.exe
  2⤵
  PID:4016
- C:\Users\Admin\AppData\Local\Temp\tmp240621265.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240621265.exe
  2⤵
  PID:3620

C:\Users\Admin\AppData\Local\Temp\tmp240621218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240621218.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4048
- C:\Users\Admin\AppData\Local\Temp\tmp240621437.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240621437.exe
  2⤵
  PID:3516
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1916
  - - C:\Users\Admin\AppData\Local\Temp\tmp240622125.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240622125.exe
      4⤵
      PID:4200
  - - C:\Users\Admin\AppData\Local\Temp\tmp240621812.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240621812.exe
      4⤵
      PID:5116
- C:\Users\Admin\AppData\Local\Temp\tmp240621500.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240621500.exe
  2⤵
  PID:4616
- - C:\Users\Admin\AppData\Local\Temp\tmp240622171.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240622171.exe
    3⤵
    PID:3076
- - C:\Users\Admin\AppData\Local\Temp\tmp240621578.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240621578.exe
    3⤵
    PID:2104

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:2140
- C:\Users\Admin\AppData\Local\Temp\tmp240621484.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240621484.exe
  2⤵
  PID:4052
- C:\Users\Admin\AppData\Local\Temp\tmp240621531.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240621531.exe
  2⤵
  PID:4080
- - C:\Users\Admin\AppData\Local\Temp\tmp240622296.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240622296.exe
    3⤵
    PID:3432
  - - C:\Users\Admin\AppData\Local\Temp\tmp240622406.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240622406.exe
      4⤵
      PID:1832
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:1484
      - C:\Users\Admin\AppData\Local\Temp\tmp240633140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633140.exe
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4888
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3772
      - C:\Users\Admin\AppData\Local\Temp\tmp240634328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634328.exe
        6⤵
        
        PID:1112
  - - C:\Users\Admin\AppData\Local\Temp\tmp240632875.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240632875.exe
      4⤵
      PID:1008
- - C:\Users\Admin\AppData\Local\Temp\tmp240622203.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240622203.exe
    3⤵
    PID:3896

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1448
- C:\Users\Admin\AppData\Local\Temp\tmp240622531.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240622531.exe
  2⤵
  PID:1840
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:3576
  - - C:\Users\Admin\AppData\Local\Temp\tmp240633828.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240633828.exe
      4⤵
      PID:3144
  - - C:\Users\Admin\AppData\Local\Temp\tmp240634359.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240634359.exe
      4⤵
      PID:5008
- C:\Users\Admin\AppData\Local\Temp\tmp240633578.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240633578.exe
  2⤵
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\tmp240634343.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240634343.exe
    3⤵
    PID:1956
- - C:\Users\Admin\AppData\Local\Temp\tmp240634468.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240634468.exe
    3⤵
    PID:2384

C:\Users\Admin\AppData\Local\Temp\tmp240622281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622281.exe
1⤵
PID:3544
- C:\Users\Admin\AppData\Local\Temp\tmp240622437.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240622437.exe
  2⤵
  PID:4936
- C:\Users\Admin\AppData\Local\Temp\tmp240632906.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240632906.exe
  2⤵
  - Executes dropped EXE
  PID:2224

C:\Users\Admin\AppData\Local\Temp\tmp240622187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622187.exe
1⤵
PID:4904

C:\Users\Admin\AppData\Local\Temp\tmp240621156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240621156.exe
1⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\tmp240620984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240620984.exe
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4152

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3808

C:\Users\Admin\AppData\Local\Temp\tmp240620859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240620859.exe
1⤵
PID:3196

C:\Users\Admin\AppData\Local\Temp\tmp240620765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240620765.exe
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:976

C:\Users\Admin\AppData\Local\Temp\tmp240620656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240620656.exe
1⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\tmp240620609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240620609.exe
1⤵
PID:1580

C:\Users\Admin\AppData\Local\Temp\tmp240618671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618671.exe
1⤵
PID:4460

C:\Users\Admin\AppData\Local\Temp\tmp240618656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618656.exe
1⤵
PID:3520

C:\Users\Admin\AppData\Local\Temp\tmp240618531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240618531.exe
1⤵
PID:4780

C:\Users\Admin\AppData\Local\Temp\tmp240634578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634578.exe
1⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\tmp240634609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634609.exe
1⤵
PID:260

C:\Users\Admin\AppData\Local\Temp\tmp240634671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634671.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:216
- C:\Users\Admin\AppData\Local\Temp\tmp240635031.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240635031.exe
  2⤵
  PID:4496
- C:\Users\Admin\AppData\Local\Temp\tmp240634875.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240634875.exe
  2⤵
  PID:4460

C:\Users\Admin\AppData\Local\Temp\tmp240634656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634656.exe
1⤵
PID:3956
- C:\Users\Admin\AppData\Local\Temp\tmp240635046.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240635046.exe
  2⤵
  PID:4148
- C:\Users\Admin\AppData\Local\Temp\tmp240634906.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240634906.exe
  2⤵
  PID:4772

C:\Users\Admin\AppData\Local\Temp\tmp240635515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635515.exe
1⤵
PID:4688

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4204
- C:\Users\Admin\AppData\Local\Temp\tmp240635656.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240635656.exe
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  PID:2272
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:4196
  - - C:\Users\Admin\AppData\Local\Temp\tmp240643875.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240643875.exe
      4⤵
      Checks computer location settings
      Drops file in System32 directory
      Modifies registry class
      PID:2248
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:1044
      - C:\Users\Admin\AppData\Local\Temp\tmp240644250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644250.exe
        6⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3384
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647031.exe
        8⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648296.exe
        8⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649625.exe
        9⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649671.exe
        9⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650718.exe
        10⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652546.exe
        12⤵
        Checks computer location settings
        Modifies registry class
        
        PID:516
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        Executes dropped EXE
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658390.exe
        14⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662750.exe
        14⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669703.exe
        15⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678812.exe
        16⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681093.exe
        16⤵
        Executes dropped EXE
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692281.exe
        17⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693656.exe
        17⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674937.exe
        15⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685078.exe
        16⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690546.exe
        16⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693140.exe
        17⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693484.exe
        17⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694093.exe
        18⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697328.exe
        18⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654968.exe
        12⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658218.exe
        13⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662687.exe
        13⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666656.exe
        14⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669703.exe
        14⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678875.exe
        15⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3108
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691750.exe
        17⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693296.exe
        17⤵
        
        PID:1008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693562.exe
        18⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694031.exe
        18⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698203.exe
        19⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703281.exe
        21⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707359.exe
        21⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710734.exe
        22⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714203.exe
        22⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702875.exe
        19⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707265.exe
        20⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708062.exe
        20⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710828.exe
        21⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718437.exe
        21⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681078.exe
        15⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692250.exe
        16⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693359.exe
        16⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652312.exe
        10⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655062.exe
        11⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:376
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660046.exe
        13⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662812.exe
        13⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674656.exe
        14⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674828.exe
        15⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684312.exe
        15⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692265.exe
        16⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693468.exe
        16⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693609.exe
        17⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693953.exe
        17⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669765.exe
        14⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659687.exe
        11⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662968.exe
        12⤵
        
        PID:2672
      - C:\Users\Admin\AppData\Local\Temp\tmp240646781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646781.exe
        6⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649640.exe
        7⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650671.exe
        7⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653593.exe
        8⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655015.exe
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659703.exe
        9⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1684
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665421.exe
        11⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672765.exe
        11⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678828.exe
        12⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685031.exe
        12⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693187.exe
        13⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693703.exe
        13⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693937.exe
        14⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697796.exe
        16⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:624
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702390.exe
        18⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4604
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707125.exe
        20⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3584
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708015.exe
        22⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5012
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240711015.exe
        24⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240713968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240713968.exe
        24⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723984.exe
        25⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240727375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240727375.exe
        26⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710578.exe
        22⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240713953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240713953.exe
        23⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718484.exe
        23⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707687.exe
        20⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710687.exe
        21⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240713984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240713984.exe
        21⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723796.exe
        22⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723968.exe
        22⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240727500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240727500.exe
        23⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706796.exe
        18⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709343.exe
        19⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712890.exe
        19⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723250.exe
        20⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723484.exe
        20⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723781.exe
        21⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723921.exe
        21⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240727453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240727453.exe
        22⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240731578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240731578.exe
        22⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702031.exe
        16⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707218.exe
        17⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709562.exe
        19⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240713062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240713062.exe
        21⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718546.exe
        21⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712781.exe
        19⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714203.exe
        20⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719796.exe
        20⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724140.exe
        21⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240727421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240727421.exe
        22⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732796.exe
        22⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708046.exe
        17⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240713859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240713859.exe
        18⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714062.exe
        19⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718531.exe
        19⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710703.exe
        18⤵
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240696578.exe
        14⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700390.exe
        15⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702937.exe
        15⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664968.exe
        9⤵
        
        PID:1556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669640.exe
        10⤵
        
        PID:4784
  - - C:\Users\Admin\AppData\Local\Temp\tmp240643921.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240643921.exe
      4⤵
      PID:3244
    - - C:\Users\Admin\AppData\Local\Temp\tmp240647406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647406.exe
        5⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3388
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650796.exe
        7⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4956
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653843.exe
        9⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655093.exe
        9⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662859.exe
        10⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663000.exe
        10⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669625.exe
        11⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672781.exe
        11⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674781.exe
        12⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653500.exe
        7⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655234.exe
        8⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2384
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663171.exe
        10⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678984.exe
        12⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685140.exe
        12⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693515.exe
        13⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693765.exe
        13⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694062.exe
        14⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697375.exe
        14⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240702921.exe
        15⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707250.exe
        15⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709359.exe
        16⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712843.exe
        16⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667640.exe
        10⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669671.exe
        11⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674765.exe
        11⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684359.exe
        12⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4876
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694109.exe
        14⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697343.exe
        14⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706156.exe
        15⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1820
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707593.exe
        17⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709328.exe
        17⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240713843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240713843.exe
        18⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714109.exe
        19⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724000.exe
        21⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718468.exe
        19⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240712812.exe
        18⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707171.exe
        15⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710718.exe
        16⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714000.exe
        16⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723390.exe
        17⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240727265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240727265.exe
        18⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724078.exe
        18⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723234.exe
        17⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723421.exe
        13⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723515.exe
        13⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723765.exe
        14⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240727703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240727703.exe
        16⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726656.exe
        14⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690562.exe
        12⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693343.exe
        13⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693546.exe
        13⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693968.exe
        14⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697390.exe
        14⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662609.exe
        8⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665093.exe
        9⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669609.exe
        9⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674812.exe
        10⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681125.exe
        10⤵
        
        PID:2128
    - - C:\Users\Admin\AppData\Local\Temp\tmp240648265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648265.exe
        5⤵
        Executes dropped EXE
        
        PID:4588
      - C:\Users\Admin\AppData\Local\Temp\tmp240649656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649656.exe
        6⤵
        
        PID:4484
      - C:\Users\Admin\AppData\Local\Temp\tmp240650625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650625.exe
        6⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654984.exe
        7⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658203.exe
        8⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653578.exe
        7⤵
        
        PID:444
- C:\Users\Admin\AppData\Local\Temp\tmp240635765.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240635765.exe
  2⤵
  - Executes dropped EXE
  PID:4808

C:\Users\Admin\AppData\Local\Temp\tmp240635390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240635390.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:748

C:\Users\Admin\AppData\Local\Temp\tmp240636015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240636015.exe
1⤵
PID:1140

C:\Users\Admin\AppData\Local\Temp\tmp240634703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634703.exe
1⤵
PID:3732

C:\Users\Admin\AppData\Local\Temp\tmp240634484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240634484.exe
1⤵
PID:1920

C:\Users\Admin\AppData\Local\Temp\tmp240662890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240662890.exe
1⤵
PID:4772

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3156
- C:\Users\Admin\AppData\Local\Temp\tmp240714359.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240714359.exe
  2⤵
  PID:1484
- C:\Users\Admin\AppData\Local\Temp\tmp240719718.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240719718.exe
  2⤵
  PID:3224
- - C:\Users\Admin\AppData\Local\Temp\tmp240723859.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240723859.exe
    3⤵
    PID:1580
  - - C:\Users\Admin\AppData\Local\Temp\tmp240727359.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240727359.exe
      4⤵
      PID:4688

C:\Users\Admin\AppData\Local\Temp\tmp240723656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240723656.exe
1⤵
PID:3552

C:\Users\Admin\AppData\Local\Temp\tmp240723578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240723578.exe
1⤵
PID:4680

C:\Users\Admin\AppData\Local\Temp\tmp240723546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240723546.exe
1⤵
PID:3924
- C:\Users\Admin\AppData\Local\Temp\tmp240723812.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240723812.exe
  2⤵
  PID:2516
- C:\Users\Admin\AppData\Local\Temp\tmp240726765.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240726765.exe
  2⤵
  PID:1640

C:\Users\Admin\AppData\Local\Temp\tmp240723531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240723531.exe
1⤵
PID:3796

C:\Users\Admin\AppData\Local\Temp\tmp240723468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240723468.exe
1⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\tmp240723437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240723437.exe
1⤵
PID:4372

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240585937.exe

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240585937.exe

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240586218.exe

Filesize
3.3MB

MD5
f7c76b2ae686d538ac579ae36742ae0e

SHA1
1b94aa066594121d7f8bdda7208264c89d87e3cf

SHA256
86b58cc34c101d895feefacc969f6b94753519957969c1641bced67ecb44b1fb

SHA512
28a1438d62427686610ca80f94e9ddf23cef91059014a50f25c943694f3e3cd917af1a8dbe807af6a37a49ec7285676037a7efab2f4195c4124decd4eabea726

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240586218.exe

Filesize
3.3MB

MD5
f7c76b2ae686d538ac579ae36742ae0e

SHA1
1b94aa066594121d7f8bdda7208264c89d87e3cf

SHA256
86b58cc34c101d895feefacc969f6b94753519957969c1641bced67ecb44b1fb

SHA512
28a1438d62427686610ca80f94e9ddf23cef91059014a50f25c943694f3e3cd917af1a8dbe807af6a37a49ec7285676037a7efab2f4195c4124decd4eabea726

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240586406.exe

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240586406.exe

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240586671.exe

Filesize
67KB

MD5
388b8fbc36a8558587afc90fb23a3b99

SHA1
ed55ad0a7078651857bd8fc0eedd8b07f94594cc

SHA256
fefeac4c10bbe237cc6c861229ecaacbd2a366ac4fbd04a3862b62bd7a778093

SHA512
0a91f6fd90f3429a69c907d9f81420334be92407269df964b6619874aa241ec6aeb2c1920ac643ce604c7ea65b21cc80f0a09c722327b6c3b7be58f9e3029e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240586671.exe

Filesize
67KB

MD5
388b8fbc36a8558587afc90fb23a3b99

SHA1
ed55ad0a7078651857bd8fc0eedd8b07f94594cc

SHA256
fefeac4c10bbe237cc6c861229ecaacbd2a366ac4fbd04a3862b62bd7a778093

SHA512
0a91f6fd90f3429a69c907d9f81420334be92407269df964b6619874aa241ec6aeb2c1920ac643ce604c7ea65b21cc80f0a09c722327b6c3b7be58f9e3029e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240587515.exe

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240587515.exe

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588156.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240594265.exe

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240594265.exe

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240594328.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240594578.exe

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240594578.exe

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240594625.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240594953.exe

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240594953.exe

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240595234.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240595562.exe

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240595562.exe

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240598031.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240598359.exe

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240598359.exe

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240599703.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240600031.exe

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240600031.exe

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240602015.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240602437.exe

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240602437.exe

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240602812.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240603109.exe

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240603109.exe

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240603343.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
3.2MB

MD5
b5aeba84e9919fa80a2dd41fcf67005f

SHA1
58c93a841aae43af8f6de34e0c1c9d37c9f8fa94

SHA256
8ef500449cca79a6cce1663c443d2110e64eb8a239f2b6a8bd52a1618d22e850

SHA512
2c711791f73a0258890c10776f5f5cb019b56fa6902876d0ed484fb778baa005a075e77cba5b245d0b28c9389c979dc5823388d6ac7c6e9f4540d99f6a2f8464

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.4MB

MD5
f85214256f4e33e81b33ce625b502175

SHA1
ff9c8c792f63d698b1b00cf924db90a88035b682

SHA256
f1f2ef316bbdcdc8783415113a7ab84c6835fb24a0a8471986f7cd2cf9f89e6d

SHA512
7d8d7f6b1a0fb9a0f4310519dd547e73e0ae6a7103017f2e92d0e492a00988d92864154ea823946f501a92271d809a4efd7daea01a1c3e746cb2ccd32196bec3

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.4MB

MD5
f85214256f4e33e81b33ce625b502175

SHA1
ff9c8c792f63d698b1b00cf924db90a88035b682

SHA256
f1f2ef316bbdcdc8783415113a7ab84c6835fb24a0a8471986f7cd2cf9f89e6d

SHA512
7d8d7f6b1a0fb9a0f4310519dd547e73e0ae6a7103017f2e92d0e492a00988d92864154ea823946f501a92271d809a4efd7daea01a1c3e746cb2ccd32196bec3

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.4MB

MD5
f85214256f4e33e81b33ce625b502175

SHA1
ff9c8c792f63d698b1b00cf924db90a88035b682

SHA256
f1f2ef316bbdcdc8783415113a7ab84c6835fb24a0a8471986f7cd2cf9f89e6d

SHA512
7d8d7f6b1a0fb9a0f4310519dd547e73e0ae6a7103017f2e92d0e492a00988d92864154ea823946f501a92271d809a4efd7daea01a1c3e746cb2ccd32196bec3

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.4MB

MD5
f85214256f4e33e81b33ce625b502175

SHA1
ff9c8c792f63d698b1b00cf924db90a88035b682

SHA256
f1f2ef316bbdcdc8783415113a7ab84c6835fb24a0a8471986f7cd2cf9f89e6d

SHA512
7d8d7f6b1a0fb9a0f4310519dd547e73e0ae6a7103017f2e92d0e492a00988d92864154ea823946f501a92271d809a4efd7daea01a1c3e746cb2ccd32196bec3

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.4MB

MD5
f85214256f4e33e81b33ce625b502175

SHA1
ff9c8c792f63d698b1b00cf924db90a88035b682

SHA256
f1f2ef316bbdcdc8783415113a7ab84c6835fb24a0a8471986f7cd2cf9f89e6d

SHA512
7d8d7f6b1a0fb9a0f4310519dd547e73e0ae6a7103017f2e92d0e492a00988d92864154ea823946f501a92271d809a4efd7daea01a1c3e746cb2ccd32196bec3

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.4MB

MD5
f85214256f4e33e81b33ce625b502175

SHA1
ff9c8c792f63d698b1b00cf924db90a88035b682

SHA256
f1f2ef316bbdcdc8783415113a7ab84c6835fb24a0a8471986f7cd2cf9f89e6d

SHA512
7d8d7f6b1a0fb9a0f4310519dd547e73e0ae6a7103017f2e92d0e492a00988d92864154ea823946f501a92271d809a4efd7daea01a1c3e746cb2ccd32196bec3

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.4MB

MD5
f85214256f4e33e81b33ce625b502175

SHA1
ff9c8c792f63d698b1b00cf924db90a88035b682

SHA256
f1f2ef316bbdcdc8783415113a7ab84c6835fb24a0a8471986f7cd2cf9f89e6d

SHA512
7d8d7f6b1a0fb9a0f4310519dd547e73e0ae6a7103017f2e92d0e492a00988d92864154ea823946f501a92271d809a4efd7daea01a1c3e746cb2ccd32196bec3

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.4MB

MD5
f85214256f4e33e81b33ce625b502175

SHA1
ff9c8c792f63d698b1b00cf924db90a88035b682

SHA256
f1f2ef316bbdcdc8783415113a7ab84c6835fb24a0a8471986f7cd2cf9f89e6d

SHA512
7d8d7f6b1a0fb9a0f4310519dd547e73e0ae6a7103017f2e92d0e492a00988d92864154ea823946f501a92271d809a4efd7daea01a1c3e746cb2ccd32196bec3

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.4MB

MD5
f85214256f4e33e81b33ce625b502175

SHA1
ff9c8c792f63d698b1b00cf924db90a88035b682

SHA256
f1f2ef316bbdcdc8783415113a7ab84c6835fb24a0a8471986f7cd2cf9f89e6d

SHA512
7d8d7f6b1a0fb9a0f4310519dd547e73e0ae6a7103017f2e92d0e492a00988d92864154ea823946f501a92271d809a4efd7daea01a1c3e746cb2ccd32196bec3

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.4MB

MD5
f85214256f4e33e81b33ce625b502175

SHA1
ff9c8c792f63d698b1b00cf924db90a88035b682

SHA256
f1f2ef316bbdcdc8783415113a7ab84c6835fb24a0a8471986f7cd2cf9f89e6d

SHA512
7d8d7f6b1a0fb9a0f4310519dd547e73e0ae6a7103017f2e92d0e492a00988d92864154ea823946f501a92271d809a4efd7daea01a1c3e746cb2ccd32196bec3

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.4MB

MD5
f85214256f4e33e81b33ce625b502175

SHA1
ff9c8c792f63d698b1b00cf924db90a88035b682

SHA256
f1f2ef316bbdcdc8783415113a7ab84c6835fb24a0a8471986f7cd2cf9f89e6d

SHA512
7d8d7f6b1a0fb9a0f4310519dd547e73e0ae6a7103017f2e92d0e492a00988d92864154ea823946f501a92271d809a4efd7daea01a1c3e746cb2ccd32196bec3

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
memory/216-189-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/216-181-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/388-275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/388-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/744-246-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/744-249-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1144-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1144-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1580-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1640-158-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1640-150-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1756-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1916-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1916-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2028-285-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2040-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2080-214-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2080-222-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2140-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2140-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2224-288-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2248-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2412-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2412-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2624-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2808-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3052-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3060-303-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3060-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3108-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3176-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3176-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3184-281-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3196-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3244-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3780-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3808-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3820-178-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3848-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4048-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4092-192-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4092-200-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4420-262-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4420-259-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4440-238-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4440-243-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4468-269-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4512-132-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4512-139-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4616-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4660-211-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4660-203-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4668-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4668-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4696-257-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4780-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4780-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4888-168-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5032-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5036-278-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5036-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5072-146-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5088-253-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5112-232-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download