6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102

Analysis

max time kernel
145s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02/10/2022, 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102.exe
Size

677KB
MD5

723c9b95d66c5f763327baa4fe889310
SHA1

37999e045e0f3713fea1c6063aa84e37d05cdf80
SHA256

6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102
SHA512

793526f6f7a9414d4576b3b047743e6e6b3862e4b3d759f848c6b3a64c7411748fbafc44d0978330fe5d0fde8a1330ce8ba2c8a96f4aa8a5521a99249433f005
SSDEEP

12288:HPhR9PUPhR9PgPhR9P9PhR9PGPhR9PePhR9PuPhR9PnSDyTFtj:JRYRgRJRWRSRmRkDyTFtj

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
5064	tmp240552468.exe
1276	tmp240552484.exe
5084	tmp240552546.exe
4216	tmp240552562.exe
844	tmp240552609.exe
4928	tmp240552703.exe
4824	tmp240552765.exe
4888	tmp240552812.exe
2536	tmp240552859.exe
2028	tmp240552921.exe
2672	tmp240552968.exe
932	tmp240553000.exe
2720	tmp240553078.exe
4828	notpad.exe
1800	tmp240553156.exe
5000	tmp240553187.exe
4732	tmp240553265.exe
4020	notpad.exe
3064	tmp240553406.exe
1400	tmp240553500.exe
3612	notpad.exe
3632	tmp240553640.exe
1264	tmp240553812.exe
4796	notpad.exe
1452	tmp240554015.exe
1444	tmp240554046.exe
3988	notpad.exe
2968	tmp240554203.exe
5088	tmp240554218.exe
4456	notpad.exe
1576	tmp240554375.exe
408	tmp240554390.exe
1156	notpad.exe
5100	tmp240554515.exe
3084	tmp240554531.exe
4048	notpad.exe
1116	tmp240554765.exe
4140	tmp240555171.exe
3528	notpad.exe
1844	tmp240555421.exe
2300	tmp240555500.exe
2960	notpad.exe
4296	tmp240555656.exe
4868	tmp240555703.exe
2656	notpad.exe
1644	tmp240555875.exe
4192	tmp240555921.exe
4976	notpad.exe
2548	tmp240556125.exe
5104	tmp240556203.exe
3980	notpad.exe
1804	tmp240556437.exe
3208	tmp240556484.exe
3016	notpad.exe
564	tmp240556687.exe
5084	tmp240556750.exe
1292	notpad.exe
5072	tmp240556875.exe
4928	tmp240556906.exe
2576	notpad.exe
4076	tmp240557078.exe
5116	tmp240557109.exe
1716	notpad.exe
2216	tmp240557328.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0006000000022e1c-146.dat	upx
behavioral2/memory/4216-153-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e22-152.dat	upx
behavioral2/memory/4928-160-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e24-159.dat	upx
behavioral2/memory/4888-161-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e24-158.dat	upx
behavioral2/memory/4888-168-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/932-186-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e1f-189.dat	upx
behavioral2/memory/4828-193-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4020-203-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e21-205.dat	upx
behavioral2/files/0x0007000000022e21-217.dat	upx
behavioral2/files/0x0006000000022e1f-241.dat	upx
behavioral2/memory/4456-244-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1156-248-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4048-250-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e21-237.dat	upx
behavioral2/memory/3988-235-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e1f-231.dat	upx
behavioral2/memory/4048-254-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e21-227.dat	upx
behavioral2/memory/4796-225-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e1f-222.dat	upx
behavioral2/memory/3528-257-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3612-215-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3612-212-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e1f-209.dat	upx
behavioral2/files/0x0006000000022e1f-199.dat	upx
behavioral2/files/0x0007000000022e21-195.dat	upx
behavioral2/files/0x0007000000022e21-182.dat	upx
behavioral2/files/0x0007000000022e21-180.dat	upx
behavioral2/memory/2028-175-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e2a-174.dat	upx
behavioral2/files/0x0006000000022e2a-173.dat	upx
behavioral2/files/0x0006000000022e27-167.dat	upx
behavioral2/files/0x0006000000022e27-166.dat	upx
behavioral2/files/0x0007000000022e22-151.dat	upx
behavioral2/memory/1276-145-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e1c-144.dat	upx
behavioral2/memory/4876-142-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e19-138.dat	upx
behavioral2/files/0x0006000000022e19-137.dat	upx
behavioral2/memory/2960-261-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2656-265-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4976-269-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3980-273-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3016-277-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1292-281-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2576-285-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1716-287-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2720-289-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1716-290-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4344-291-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2720-292-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4344-293-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4732-294-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4732-295-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3564-296-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2204-297-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3868-298-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3868-299-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4756-300-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240629937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240656265.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240657484.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240552468.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240589828.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240598640.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240601093.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240621468.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240682828.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240686125.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240691468.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240679109.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240679921.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240587171.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240587343.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240588937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240637656.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240650312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240689015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240692312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240553640.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240629140.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240652109.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240658703.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240680171.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240654187.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240683218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240586984.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240597859.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240626609.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240627125.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240650765.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240685812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240598078.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240622078.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240623281.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240658906.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240680421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240554375.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240640187.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240652406.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240650906.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240676468.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240691937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240598968.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240638171.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240687406.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240687984.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240678875.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240682625.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240555875.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240598796.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240623812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240630640.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240653765.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240624500.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240657093.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240659421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240691609.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240658078.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240677328.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240679593.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240594046.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240625000.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240623031.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240626609.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240627125.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240648968.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240650906.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240659625.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240686609.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240596765.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240596234.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240597375.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240597859.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240624234.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240638343.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240651093.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240653765.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240589093.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240678093.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240658703.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240596031.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240625000.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240627562.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240630109.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240683593.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240685812.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240555875.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240688812.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240595234.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240625250.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240628562.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240678093.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240561875.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240594546.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240658906.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240680171.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240686125.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240688609.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240691609.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240570578.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240622078.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240622078.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240679921.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240680968.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240683390.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240686609.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240687406.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240556875.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240557078.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240624500.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240658703.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240686609.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240554375.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240629750.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240649406.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240651093.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240659093.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240677593.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240689656.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240596968.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240683593.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240685609.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240689656.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240596578.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240640187.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240682828.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process
4420	1800	WerFault.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240624500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240650312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240684171.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240687406.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240691609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240555421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240566750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240585781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240586187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240597375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240600781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240638515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240650765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240659421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240686937.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240692312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240598968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240620484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240629359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240637828.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240651906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240556125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240587171.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240656687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240658078.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240659625.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240595078.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240619296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240626906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240629750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240677328.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240677593.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240682828.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240687625.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240555875.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240589093.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240589296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240589828.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240597578.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240624234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240552468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240588937.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240653937.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240658515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240680781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240683968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240686359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240554375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240554765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240561875.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240596578.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240597859.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240622781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240678328.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240587343.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240588750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240593593.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240598640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240598796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240600937.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240623031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240648968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240649718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240652406.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 5064	4876	6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102.exe	127
PID 4876 wrote to memory of 5064	4876	6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102.exe	127
PID 4876 wrote to memory of 5064	4876	6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102.exe	127
PID 4876 wrote to memory of 1276	4876	6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102.exe	126
PID 4876 wrote to memory of 1276	4876	6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102.exe	126
PID 4876 wrote to memory of 1276	4876	6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102.exe	126
PID 1276 wrote to memory of 5084	1276	tmp240552484.exe	82
PID 1276 wrote to memory of 5084	1276	tmp240552484.exe	82
PID 1276 wrote to memory of 5084	1276	tmp240552484.exe	82
PID 1276 wrote to memory of 4216	1276	tmp240552484.exe	83
PID 1276 wrote to memory of 4216	1276	tmp240552484.exe	83
PID 1276 wrote to memory of 4216	1276	tmp240552484.exe	83
PID 4216 wrote to memory of 844	4216	tmp240552562.exe	84
PID 4216 wrote to memory of 844	4216	tmp240552562.exe	84
PID 4216 wrote to memory of 844	4216	tmp240552562.exe	84
PID 4216 wrote to memory of 4928	4216	tmp240552562.exe	125
PID 4216 wrote to memory of 4928	4216	tmp240552562.exe	125
PID 4216 wrote to memory of 4928	4216	tmp240552562.exe	125
PID 4928 wrote to memory of 4824	4928	tmp240552703.exe	124
PID 4928 wrote to memory of 4824	4928	tmp240552703.exe	124
PID 4928 wrote to memory of 4824	4928	tmp240552703.exe	124
PID 4928 wrote to memory of 4888	4928	tmp240552703.exe	123
PID 4928 wrote to memory of 4888	4928	tmp240552703.exe	123
PID 4928 wrote to memory of 4888	4928	tmp240552703.exe	123
PID 4888 wrote to memory of 2536	4888	tmp240552812.exe	85
PID 4888 wrote to memory of 2536	4888	tmp240552812.exe	85
PID 4888 wrote to memory of 2536	4888	tmp240552812.exe	85
PID 4888 wrote to memory of 2028	4888	tmp240552812.exe	122
PID 4888 wrote to memory of 2028	4888	tmp240552812.exe	122
PID 4888 wrote to memory of 2028	4888	tmp240552812.exe	122
PID 2028 wrote to memory of 2672	2028	tmp240552921.exe	121
PID 2028 wrote to memory of 2672	2028	tmp240552921.exe	121
PID 2028 wrote to memory of 2672	2028	tmp240552921.exe	121
PID 2028 wrote to memory of 932	2028	tmp240552921.exe	119
PID 2028 wrote to memory of 932	2028	tmp240552921.exe	119
PID 2028 wrote to memory of 932	2028	tmp240552921.exe	119
PID 5064 wrote to memory of 4828	5064	tmp240552468.exe	118
PID 5064 wrote to memory of 4828	5064	tmp240552468.exe	118
PID 5064 wrote to memory of 4828	5064	tmp240552468.exe	118
PID 932 wrote to memory of 2720	932	tmp240553000.exe	86
PID 932 wrote to memory of 2720	932	tmp240553000.exe	86
PID 932 wrote to memory of 2720	932	tmp240553000.exe	86
PID 932 wrote to memory of 1800	932	tmp240553000.exe	117
PID 932 wrote to memory of 1800	932	tmp240553000.exe	117
PID 932 wrote to memory of 1800	932	tmp240553000.exe	117
PID 4828 wrote to memory of 5000	4828	notpad.exe	116
PID 4828 wrote to memory of 5000	4828	notpad.exe	116
PID 4828 wrote to memory of 5000	4828	notpad.exe	116
PID 4828 wrote to memory of 4732	4828	notpad.exe	114
PID 4828 wrote to memory of 4732	4828	notpad.exe	114
PID 4828 wrote to memory of 4732	4828	notpad.exe	114
PID 5000 wrote to memory of 4020	5000	tmp240553187.exe	87
PID 5000 wrote to memory of 4020	5000	tmp240553187.exe	87
PID 5000 wrote to memory of 4020	5000	tmp240553187.exe	87
PID 4020 wrote to memory of 3064	4020	notpad.exe	112
PID 4020 wrote to memory of 3064	4020	notpad.exe	112
PID 4020 wrote to memory of 3064	4020	notpad.exe	112
PID 4020 wrote to memory of 1400	4020	notpad.exe	111
PID 4020 wrote to memory of 1400	4020	notpad.exe	111
PID 4020 wrote to memory of 1400	4020	notpad.exe	111
PID 3064 wrote to memory of 3612	3064	tmp240553406.exe	88
PID 3064 wrote to memory of 3612	3064	tmp240553406.exe	88
PID 3064 wrote to memory of 3612	3064	tmp240553406.exe	88
PID 3612 wrote to memory of 3632	3612	notpad.exe	110

C:\Users\Admin\AppData\Local\Temp\6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102.exe
"C:\Users\Admin\AppData\Local\Temp\6d24a1079d31d71bef4f35a24ecbde6540bb180d5509cea78e07f3a409954102.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Users\Admin\AppData\Local\Temp\tmp240552484.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240552484.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1276
- C:\Users\Admin\AppData\Local\Temp\tmp240552468.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240552468.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5064

C:\Users\Admin\AppData\Local\Temp\tmp240552546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240552546.exe
1⤵
- Executes dropped EXE
PID:5084

C:\Users\Admin\AppData\Local\Temp\tmp240552562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240552562.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4216
- C:\Users\Admin\AppData\Local\Temp\tmp240552609.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240552609.exe
  2⤵
  - Executes dropped EXE
  PID:844
- C:\Users\Admin\AppData\Local\Temp\tmp240552703.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240552703.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4928

C:\Users\Admin\AppData\Local\Temp\tmp240552859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240552859.exe
1⤵
- Executes dropped EXE
PID:2536

C:\Users\Admin\AppData\Local\Temp\tmp240553078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240553078.exe
1⤵
- Executes dropped EXE
PID:2720

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4020
- C:\Users\Admin\AppData\Local\Temp\tmp240553500.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240553500.exe
  2⤵
  - Executes dropped EXE
  PID:1400
- C:\Users\Admin\AppData\Local\Temp\tmp240553406.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240553406.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3064

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3612
- C:\Users\Admin\AppData\Local\Temp\tmp240553812.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240553812.exe
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\Users\Admin\AppData\Local\Temp\tmp240553640.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240553640.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  PID:3632

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:4796
- C:\Users\Admin\AppData\Local\Temp\tmp240554046.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240554046.exe
  2⤵
  - Executes dropped EXE
  PID:1444
- C:\Users\Admin\AppData\Local\Temp\tmp240554015.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240554015.exe
  2⤵
  - Executes dropped EXE
  PID:1452

C:\Users\Admin\AppData\Local\Temp\tmp240554218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240554218.exe
1⤵
- Executes dropped EXE
PID:5088

C:\Users\Admin\AppData\Local\Temp\tmp240554390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240554390.exe
1⤵
- Executes dropped EXE
PID:408

C:\Users\Admin\AppData\Local\Temp\tmp240554515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240554515.exe
1⤵
- Executes dropped EXE
PID:5100
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  PID:4048
- - C:\Users\Admin\AppData\Local\Temp\tmp240554765.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240554765.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:1116
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      PID:3528
    - - C:\Users\Admin\AppData\Local\Temp\tmp240555421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555421.exe
        5⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1844
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555656.exe
        7⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555875.exe
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556125.exe
        11⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        Executes dropped EXE
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556437.exe
        13⤵
        Executes dropped EXE
        
        PID:1804
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556687.exe
        15⤵
        Executes dropped EXE
        
        PID:564
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        Executes dropped EXE
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556875.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        Executes dropped EXE
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557078.exe
        19⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:4076
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        Executes dropped EXE
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557328.exe
        21⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240561875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240561875.exe
        23⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1344
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240566750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240566750.exe
        25⤵
        Modifies registry class
        
        PID:116
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570578.exe
        27⤵
        Drops file in System32 directory
        
        PID:2932
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240585781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240585781.exe
        29⤵
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240586000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240586000.exe
        31⤵
        
        PID:3828
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240586187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240586187.exe
        33⤵
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240586984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240586984.exe
        35⤵
        Checks computer location settings
        
        PID:4556
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587171.exe
        37⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1412
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        38⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587343.exe
        39⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3872
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        40⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588468.exe
        41⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588750.exe
        43⤵
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        44⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588937.exe
        45⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        46⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589093.exe
        47⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        48⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589296.exe
        49⤵
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        50⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589828.exe
        51⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3236
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        52⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590031.exe
        53⤵
        
        PID:564
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593593.exe
        55⤵
        Modifies registry class
        
        PID:4972
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        56⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593828.exe
        57⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594046.exe
        59⤵
        Checks computer location settings
        
        PID:2144
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        60⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594218.exe
        61⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        62⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594546.exe
        63⤵
        Drops file in System32 directory
        
        PID:204
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        64⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594843.exe
        65⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        66⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595078.exe
        67⤵
        Modifies registry class
        
        PID:1456
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        68⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595234.exe
        69⤵
        Drops file in System32 directory
        
        PID:780
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        70⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595484.exe
        71⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        72⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595796.exe
        73⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        74⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596031.exe
        75⤵
        Drops file in System32 directory
        
        PID:5040
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        76⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596234.exe
        77⤵
        Drops file in System32 directory
        
        PID:2584
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        78⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596375.exe
        79⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        80⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596578.exe
        81⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1340
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        82⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596765.exe
        83⤵
        Drops file in System32 directory
        
        PID:2960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        84⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596968.exe
        85⤵
        Drops file in System32 directory
        
        PID:2328
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        86⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597375.exe
        87⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        88⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597578.exe
        89⤵
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        90⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597859.exe
        91⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        92⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598078.exe
        93⤵
        Checks computer location settings
        
        PID:1276
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        94⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598312.exe
        95⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        96⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598640.exe
        97⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3244
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        98⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598796.exe
        99⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        100⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598968.exe
        101⤵
        Checks computer location settings
        Modifies registry class
        
        PID:932
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        102⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600406.exe
        103⤵
        
        PID:224
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        104⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600500.exe
        105⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        106⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600671.exe
        107⤵
        
        PID:1748
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        108⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600843.exe
        109⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600781.exe
        109⤵
        Modifies registry class
        
        PID:4008
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        110⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600937.exe
        111⤵
        Modifies registry class
        
        PID:4700
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        112⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601093.exe
        113⤵
        Checks computer location settings
        
        PID:4600
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        114⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619296.exe
        115⤵
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        116⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620015.exe
        117⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        118⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620484.exe
        119⤵
        Modifies registry class
        
        PID:2300
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        120⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620984.exe
        121⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        122⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621468.exe
        123⤵
        Checks computer location settings
        
        PID:4516
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        124⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622078.exe
        125⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:648
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        126⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622546.exe
        127⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        128⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622781.exe
        129⤵
        Modifies registry class
        
        PID:1796
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        130⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623031.exe
        131⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3056
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        132⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623281.exe
        133⤵
        Checks computer location settings
        
        PID:4820
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        134⤵
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623812.exe
        135⤵
        Checks computer location settings
        
        PID:5116
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        136⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624000.exe
        137⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        138⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624234.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4560
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        140⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624500.exe
        141⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4944
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        142⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624640.exe
        143⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        144⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625000.exe
        145⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4012
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        146⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625250.exe
        147⤵
        Drops file in System32 directory
        
        PID:3896
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        148⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625984.exe
        149⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        150⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626609.exe
        151⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1452
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        152⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626906.exe
        153⤵
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        154⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627125.exe
        155⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:424
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        156⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627562.exe
        157⤵
        Drops file in System32 directory
        
        PID:4600
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        158⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627984.exe
        159⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        160⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628187.exe
        161⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        162⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628562.exe
        163⤵
        Drops file in System32 directory
        
        PID:1636
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        164⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628968.exe
        165⤵
        
        PID:1844
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        166⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629140.exe
        167⤵
        Checks computer location settings
        
        PID:3912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        168⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629359.exe
        169⤵
        Modifies registry class
        
        PID:484
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        170⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629750.exe
        171⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3972
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        172⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629937.exe
        173⤵
        Checks computer location settings
        
        PID:4116
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        174⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630109.exe
        175⤵
        Drops file in System32 directory
        
        PID:4928
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        176⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630640.exe
        177⤵
        Checks computer location settings
        
        PID:4124
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        178⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637656.exe
        179⤵
        Checks computer location settings
        
        PID:4784
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        180⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637828.exe
        181⤵
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        182⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638000.exe
        183⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        184⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638171.exe
        185⤵
        Checks computer location settings
        
        PID:672
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        186⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638343.exe
        187⤵
        Drops file in System32 directory
        
        PID:116
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        188⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638515.exe
        189⤵
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        190⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640187.exe
        191⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:736
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        192⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640328.exe
        193⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        194⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640500.exe
        195⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        196⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641875.exe
        197⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        198⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648968.exe
        199⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:884
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        200⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649406.exe
        201⤵
        Drops file in System32 directory
        
        PID:1528
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        202⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649718.exe
        203⤵
        Modifies registry class
        
        PID:2192
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        204⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650140.exe
        205⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        206⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650312.exe
        207⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4140
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        208⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650609.exe
        209⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        210⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650765.exe
        211⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3432
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        212⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650906.exe
        213⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        214⤵
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651093.exe
        215⤵
        Drops file in System32 directory
        
        PID:2520
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        216⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651281.exe
        217⤵
        
        PID:3972
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        218⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651562.exe
        219⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        220⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651734.exe
        221⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        222⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651906.exe
        223⤵
        Modifies registry class
        
        PID:1276
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        224⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652109.exe
        225⤵
        Checks computer location settings
        
        PID:4596
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        226⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652406.exe
        227⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3060
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        228⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652546.exe
        229⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        230⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652750.exe
        231⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        232⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653062.exe
        233⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        234⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653312.exe
        235⤵
        
        PID:3156
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        236⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653515.exe
        237⤵
        
        PID:4632
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        238⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653765.exe
        239⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2816
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        240⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653937.exe
        241⤵
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        242⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654187.exe
        243⤵
        Checks computer location settings
        
        PID:3076
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        244⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655593.exe
        245⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        246⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655843.exe
        247⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        248⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656078.exe
        249⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        250⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656265.exe
        251⤵
        Checks computer location settings
        
        PID:484
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        252⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656515.exe
        253⤵
        
        PID:968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        254⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656687.exe
        255⤵
        Modifies registry class
        
        PID:2184
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        256⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656906.exe
        257⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        258⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657093.exe
        259⤵
        Checks computer location settings
        
        PID:816
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        260⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657312.exe
        261⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        262⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657484.exe
        263⤵
        Checks computer location settings
        
        PID:2304
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        264⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657687.exe
        265⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        266⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657906.exe
        267⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        268⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658078.exe
        269⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2104
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        270⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658515.exe
        271⤵
        Modifies registry class
        
        PID:972
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        272⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658703.exe
        273⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4080
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        274⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658906.exe
        275⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1720
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        276⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659093.exe
        277⤵
        Drops file in System32 directory
        
        PID:3872
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        278⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659421.exe
        279⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4192
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        280⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659625.exe
        281⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5112
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        282⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659843.exe
        283⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        284⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676468.exe
        285⤵
        Checks computer location settings
        
        PID:3964
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        286⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677328.exe
        287⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4120
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        288⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677593.exe
        289⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2672
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        290⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678093.exe
        291⤵
        Drops file in System32 directory
        
        PID:1520
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        292⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678328.exe
        293⤵
        Modifies registry class
        
        PID:3592
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        294⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678609.exe
        295⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        296⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678875.exe
        297⤵
        Checks computer location settings
        
        PID:1592
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        298⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679109.exe
        299⤵
        Checks computer location settings
        
        PID:3644
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        300⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679359.exe
        301⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        302⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679593.exe
        303⤵
        Checks computer location settings
        
        PID:3920
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        304⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679921.exe
        305⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:972
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        306⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680171.exe
        307⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2192
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        308⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680421.exe
        309⤵
        Checks computer location settings
        
        PID:2512
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        310⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680781.exe
        311⤵
        Modifies registry class
        
        PID:2548
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        312⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680968.exe
        313⤵
        Drops file in System32 directory
        
        PID:4420
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        314⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681203.exe
        315⤵
        
        PID:3044
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        316⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682375.exe
        317⤵
        
        PID:2148
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        318⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682625.exe
        319⤵
        Checks computer location settings
        
        PID:4984
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        320⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682828.exe
        321⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        322⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683015.exe
        323⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        324⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683218.exe
        325⤵
        Checks computer location settings
        
        PID:1740
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        326⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683390.exe
        327⤵
        Drops file in System32 directory
        
        PID:1028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        328⤵
        
        PID:32
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683593.exe
        329⤵
        Drops file in System32 directory
        
        PID:1816
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        330⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683781.exe
        331⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        332⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683968.exe
        333⤵
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        334⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684171.exe
        335⤵
        Modifies registry class
        
        PID:2864
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        336⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685375.exe
        337⤵
        
        PID:3140
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        338⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685609.exe
        339⤵
        Drops file in System32 directory
        
        PID:4808
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        340⤵
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685765.exe
        341⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        342⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685921.exe
        343⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685968.exe
        343⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686156.exe
        344⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686203.exe
        344⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685781.exe
        341⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685812.exe
        342⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4980
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        343⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686125.exe
        344⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3444
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        345⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686359.exe
        346⤵
        Modifies registry class
        
        PID:3944
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        347⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686609.exe
        348⤵
        Drops file in System32 directory
        
        PID:3572
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        349⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686765.exe
        350⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        351⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686937.exe
        352⤵
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        353⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687234.exe
        354⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        355⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687406.exe
        356⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3016
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        357⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687625.exe
        358⤵
        Modifies registry class
        
        PID:1120
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        359⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687796.exe
        360⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        361⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687984.exe
        362⤵
        Checks computer location settings
        
        PID:4344
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        363⤵
        
        PID:32
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688203.exe
        364⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        365⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688421.exe
        366⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        367⤵
        
        PID:480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688609.exe
        368⤵
        Drops file in System32 directory
        
        PID:2040
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        369⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688812.exe
        370⤵
        Drops file in System32 directory
        
        PID:2968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        371⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689015.exe
        372⤵
        Checks computer location settings
        
        PID:3456
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        373⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689750.exe
        374⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690609.exe
        374⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690640.exe
        375⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690656.exe
        375⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691343.exe
        376⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691359.exe
        376⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689578.exe
        372⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689609.exe
        373⤵
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689625.exe
        373⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689656.exe
        374⤵
        Drops file in System32 directory
        
        PID:2428
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        375⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690765.exe
        376⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        377⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691468.exe
        378⤵
        Checks computer location settings
        
        PID:4520
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        379⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691656.exe
        380⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692140.exe
        380⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692250.exe
        381⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692296.exe
        381⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692359.exe
        382⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691515.exe
        378⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691562.exe
        379⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691578.exe
        379⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691609.exe
        380⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2704
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        381⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691937.exe
        382⤵
        Checks computer location settings
        
        PID:4288
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        383⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692312.exe
        384⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        385⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692359.exe
        384⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692109.exe
        382⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692187.exe
        383⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692218.exe
        384⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692265.exe
        384⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692171.exe
        383⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691625.exe
        380⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691312.exe
        376⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691375.exe
        377⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691406.exe
        377⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691421.exe
        378⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691437.exe
        378⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690578.exe
        374⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688828.exe
        370⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688843.exe
        371⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688859.exe
        371⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688890.exe
        372⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688921.exe
        372⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688625.exe
        368⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688656.exe
        369⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688687.exe
        369⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688437.exe
        366⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688453.exe
        367⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688468.exe
        367⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688218.exe
        364⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688234.exe
        365⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688250.exe
        365⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688015.exe
        362⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688046.exe
        363⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688078.exe
        363⤵
        
        PID:204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687812.exe
        360⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687828.exe
        361⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687843.exe
        361⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687640.exe
        358⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687671.exe
        359⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687687.exe
        359⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687437.exe
        356⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687453.exe
        357⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687484.exe
        357⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687250.exe
        354⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687281.exe
        355⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687296.exe
        355⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686953.exe
        352⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687031.exe
        353⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687062.exe
        353⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686796.exe
        350⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686843.exe
        351⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686875.exe
        351⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686625.exe
        348⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686656.exe
        349⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686718.exe
        349⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686437.exe
        346⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686468.exe
        347⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686500.exe
        347⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686140.exe
        344⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686234.exe
        345⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686312.exe
        345⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685953.exe
        342⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685625.exe
        339⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685703.exe
        340⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685718.exe
        340⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685390.exe
        337⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685406.exe
        338⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685421.exe
        338⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685125.exe
        335⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685171.exe
        336⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685187.exe
        336⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683984.exe
        333⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684000.exe
        334⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684015.exe
        334⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683796.exe
        331⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683812.exe
        332⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683843.exe
        332⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683609.exe
        329⤵
        
        PID:260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683625.exe
        330⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683640.exe
        330⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683406.exe
        327⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683421.exe
        328⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683437.exe
        328⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683234.exe
        325⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683328.exe
        326⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683343.exe
        326⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683031.exe
        323⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683046.exe
        324⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683062.exe
        324⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682843.exe
        321⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682859.exe
        322⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682875.exe
        322⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682656.exe
        319⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682671.exe
        320⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682687.exe
        320⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682406.exe
        317⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682484.exe
        318⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682500.exe
        318⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681218.exe
        315⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681312.exe
        316⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681375.exe
        316⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681000.exe
        313⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681031.exe
        314⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681046.exe
        314⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680796.exe
        311⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680812.exe
        312⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680828.exe
        312⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680453.exe
        309⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680468.exe
        310⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680484.exe
        310⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680187.exe
        307⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680234.exe
        308⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680265.exe
        308⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679953.exe
        305⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680000.exe
        306⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680046.exe
        306⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679640.exe
        303⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679656.exe
        304⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679671.exe
        304⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679375.exe
        301⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679406.exe
        302⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679421.exe
        302⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679125.exe
        299⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679156.exe
        300⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679187.exe
        300⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678890.exe
        297⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678921.exe
        298⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678953.exe
        298⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678625.exe
        295⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678656.exe
        296⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678671.exe
        296⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678343.exe
        293⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678375.exe
        294⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678406.exe
        294⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678109.exe
        291⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678171.exe
        292⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678203.exe
        292⤵
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677765.exe
        289⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677843.exe
        290⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677906.exe
        290⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677343.exe
        287⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677781.exe
        288⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677812.exe
        288⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677031.exe
        285⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677078.exe
        286⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677156.exe
        286⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676265.exe
        283⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677062.exe
        284⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677125.exe
        284⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659640.exe
        281⤵
        
        PID:916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659656.exe
        282⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659671.exe
        282⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659437.exe
        279⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659453.exe
        280⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659468.exe
        280⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659218.exe
        277⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659234.exe
        278⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659265.exe
        278⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658921.exe
        275⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658937.exe
        276⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658968.exe
        276⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658718.exe
        273⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658734.exe
        274⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658750.exe
        274⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658531.exe
        271⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658546.exe
        272⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658593.exe
        272⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658093.exe
        269⤵
        
        PID:552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658359.exe
        270⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658390.exe
        270⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657937.exe
        267⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657953.exe
        268⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657968.exe
        268⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657703.exe
        265⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657718.exe
        266⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657734.exe
        266⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657500.exe
        263⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657515.exe
        264⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657531.exe
        264⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657328.exe
        261⤵
        
        PID:204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657343.exe
        262⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657390.exe
        262⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657109.exe
        259⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657140.exe
        260⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657156.exe
        260⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656921.exe
        257⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656984.exe
        258⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657000.exe
        258⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656718.exe
        255⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656750.exe
        256⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656765.exe
        256⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656531.exe
        253⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656546.exe
        254⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656562.exe
        254⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656312.exe
        251⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656328.exe
        252⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656343.exe
        252⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656109.exe
        249⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656140.exe
        250⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656171.exe
        250⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655921.exe
        247⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656046.exe
        248⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656062.exe
        248⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655609.exe
        245⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655640.exe
        246⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655656.exe
        246⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655421.exe
        243⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655515.exe
        244⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655531.exe
        244⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654015.exe
        241⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654046.exe
        242⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654078.exe
        242⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653781.exe
        239⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653812.exe
        240⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653828.exe
        240⤵
        
        PID:424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653531.exe
        237⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653562.exe
        238⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653578.exe
        238⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653328.exe
        235⤵
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653375.exe
        236⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653390.exe
        236⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653078.exe
        233⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653156.exe
        234⤵
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653171.exe
        234⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652843.exe
        231⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652953.exe
        232⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653000.exe
        232⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652578.exe
        229⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652609.exe
        230⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652625.exe
        230⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652421.exe
        227⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652515.exe
        228⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652531.exe
        228⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652125.exe
        225⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651921.exe
        223⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651750.exe
        221⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651578.exe
        219⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651375.exe
        217⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651109.exe
        215⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650953.exe
        213⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650781.exe
        211⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650625.exe
        209⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650453.exe
        207⤵
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650156.exe
        205⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649984.exe
        203⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649515.exe
        201⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649265.exe
        199⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643671.exe
        197⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641671.exe
        195⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640343.exe
        193⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640203.exe
        191⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640015.exe
        189⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638359.exe
        187⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638187.exe
        185⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638015.exe
        183⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637843.exe
        181⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637671.exe
        179⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634968.exe
        177⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630437.exe
        175⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629968.exe
        173⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629796.exe
        171⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629593.exe
        169⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629156.exe
        167⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628984.exe
        165⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628781.exe
        163⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628437.exe
        161⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628031.exe
        159⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627765.exe
        157⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627359.exe
        155⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626953.exe
        153⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626703.exe
        151⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626328.exe
        149⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625328.exe
        147⤵
        
        PID:660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625046.exe
        145⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624750.exe
        143⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624515.exe
        141⤵
        
        PID:932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624312.exe
        139⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624093.exe
        137⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623859.exe
        135⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623296.exe
        133⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623078.exe
        131⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622890.exe
        129⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622609.exe
        127⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622171.exe
        125⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621484.exe
        123⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621343.exe
        121⤵
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620796.exe
        119⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620296.exe
        117⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619609.exe
        115⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613171.exe
        113⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601000.exe
        111⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600687.exe
        107⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600531.exe
        105⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600421.exe
        103⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600062.exe
        101⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598828.exe
        99⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598656.exe
        97⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598437.exe
        95⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598156.exe
        93⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597890.exe
        91⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597687.exe
        89⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597406.exe
        87⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597203.exe
        85⤵
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596796.exe
        83⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596593.exe
        81⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596421.exe
        79⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596250.exe
        77⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596078.exe
        75⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595875.exe
        73⤵
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595625.exe
        71⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595312.exe
        69⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595093.exe
        67⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594859.exe
        65⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594656.exe
        63⤵
        
        PID:32
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594375.exe
        61⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594062.exe
        59⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593875.exe
        57⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593640.exe
        55⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593390.exe
        53⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589843.exe
        51⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589671.exe
        49⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589109.exe
        47⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588953.exe
        45⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588765.exe
        43⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588515.exe
        41⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588328.exe
        39⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587187.exe
        37⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587000.exe
        35⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\tmp240586859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240586859.exe
        33⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240586015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240586015.exe
        31⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240585796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240585796.exe
        29⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240580640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240580640.exe
        27⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570375.exe
        25⤵
        
        PID:32
        
        C:\Users\Admin\AppData\Local\Temp\tmp240566515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240566515.exe
        23⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240561703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240561703.exe
        21⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557109.exe
        19⤵
        Executes dropped EXE
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556906.exe
        17⤵
        Executes dropped EXE
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556750.exe
        15⤵
        Executes dropped EXE
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556484.exe
        13⤵
        Executes dropped EXE
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556203.exe
        11⤵
        Executes dropped EXE
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555921.exe
        9⤵
        Executes dropped EXE
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555703.exe
        7⤵
        Executes dropped EXE
        
        PID:4868
    - - C:\Users\Admin\AppData\Local\Temp\tmp240555500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555500.exe
        5⤵
        Executes dropped EXE
        
        PID:2300
- - C:\Users\Admin\AppData\Local\Temp\tmp240555171.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240555171.exe
    3⤵
    - Executes dropped EXE
    PID:4140

C:\Users\Admin\AppData\Local\Temp\tmp240554531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240554531.exe
1⤵
- Executes dropped EXE
PID:3084

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:1156

C:\Users\Admin\AppData\Local\Temp\tmp240554375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240554375.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:1576

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1800 -s 228
1⤵
- Program crash
PID:4420

C:\Users\Admin\AppData\Local\Temp\tmp240554203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240554203.exe
1⤵
- Executes dropped EXE
PID:2968

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1800 -ip 1800
1⤵
PID:5004

C:\Users\Admin\AppData\Local\Temp\tmp240553265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240553265.exe
1⤵
- Executes dropped EXE
PID:4732

C:\Users\Admin\AppData\Local\Temp\tmp240553187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240553187.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5000

C:\Users\Admin\AppData\Local\Temp\tmp240553156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240553156.exe
1⤵
- Executes dropped EXE
PID:1800

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4828

C:\Users\Admin\AppData\Local\Temp\tmp240553000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240553000.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:932

C:\Users\Admin\AppData\Local\Temp\tmp240552968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240552968.exe
1⤵
- Executes dropped EXE
PID:2672

C:\Users\Admin\AppData\Local\Temp\tmp240552921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240552921.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\tmp240552812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240552812.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4888

C:\Users\Admin\AppData\Local\Temp\tmp240552765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240552765.exe
1⤵
- Executes dropped EXE
PID:4824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240552468.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552468.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552484.exe

Filesize
419KB

MD5
2b78972310f3890b845bba7d5a734abe

SHA1
3c7e4011f34ce44bb7bf8a15e2bf1e7f411caff3

SHA256
5fdd78631c2a5d1701d0c60d398917aa2413b39ed6516ceb88bff8e73e418f37

SHA512
eb1ba61861f88ac4f8e8546688be412393e144ce594413c17aa3edea64430ef4b6636a1e808c8b12a2180c0351023507f3c081b1ce3cae7c88c714a0af43eac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552484.exe

Filesize
419KB

MD5
2b78972310f3890b845bba7d5a734abe

SHA1
3c7e4011f34ce44bb7bf8a15e2bf1e7f411caff3

SHA256
5fdd78631c2a5d1701d0c60d398917aa2413b39ed6516ceb88bff8e73e418f37

SHA512
eb1ba61861f88ac4f8e8546688be412393e144ce594413c17aa3edea64430ef4b6636a1e808c8b12a2180c0351023507f3c081b1ce3cae7c88c714a0af43eac4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552546.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552546.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552562.exe

Filesize
372KB

MD5
f70ac95908d5df940d3a8bf8d8474cc2

SHA1
785a9be3f0e32dfab221ab9fe265027692c3b0b5

SHA256
972ca6754aa9ab8a5c77c1b038330d9f9ffe9a3c1cc72a9e2e9ce55e23360b5b

SHA512
937d35ed1a91cf9915a6c9a3f177921f9031c8ad255a5031537e5d284a16f16def28444374982f6c4d7ff8dd60f81aa01f756db6d1dd2acbf07b0c3fce320048

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552562.exe

Filesize
372KB

MD5
f70ac95908d5df940d3a8bf8d8474cc2

SHA1
785a9be3f0e32dfab221ab9fe265027692c3b0b5

SHA256
972ca6754aa9ab8a5c77c1b038330d9f9ffe9a3c1cc72a9e2e9ce55e23360b5b

SHA512
937d35ed1a91cf9915a6c9a3f177921f9031c8ad255a5031537e5d284a16f16def28444374982f6c4d7ff8dd60f81aa01f756db6d1dd2acbf07b0c3fce320048

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552609.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552609.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552703.exe

Filesize
325KB

MD5
d28386c4d4ba4f81a48fea4b13fa560a

SHA1
91631ff8978c5ac3d2c6ef74eec3bd7be335b989

SHA256
4f0a158de9cd0a80750f3a171e5e175798056aabe4d5189b2d8e8a615070c924

SHA512
98cbdbd0032851853a4a7b7776dbc99bdbc7f0a9e63631d1adbc25ae62de1f7de6df5a001e5d06481bfdbee55283ec8d7deda46572178987aa45d33608865d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552703.exe

Filesize
325KB

MD5
d28386c4d4ba4f81a48fea4b13fa560a

SHA1
91631ff8978c5ac3d2c6ef74eec3bd7be335b989

SHA256
4f0a158de9cd0a80750f3a171e5e175798056aabe4d5189b2d8e8a615070c924

SHA512
98cbdbd0032851853a4a7b7776dbc99bdbc7f0a9e63631d1adbc25ae62de1f7de6df5a001e5d06481bfdbee55283ec8d7deda46572178987aa45d33608865d30

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552765.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552765.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552812.exe

Filesize
277KB

MD5
527584a1bb28c78ee91c3726fb5f2812

SHA1
4a201c56e9ba924214155c874bc87c463845462d

SHA256
b8809d2b825b2e11c6770509322c0dddaae06b8a62ce37c03c9dc3ea26237ef8

SHA512
d944f47ade3cae8f32de3487c0f750e6277e1a8b4d98e4b65142e19c40731a3376686b120072292e4bf8d12160fb1d6aa93b8a12ea4dda0749c516de897095a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552812.exe

Filesize
277KB

MD5
527584a1bb28c78ee91c3726fb5f2812

SHA1
4a201c56e9ba924214155c874bc87c463845462d

SHA256
b8809d2b825b2e11c6770509322c0dddaae06b8a62ce37c03c9dc3ea26237ef8

SHA512
d944f47ade3cae8f32de3487c0f750e6277e1a8b4d98e4b65142e19c40731a3376686b120072292e4bf8d12160fb1d6aa93b8a12ea4dda0749c516de897095a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552859.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552859.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552921.exe

Filesize
230KB

MD5
75decab59f935628ce78b29751f381bf

SHA1
01287bb4456e3fc7b9ba7e12f0e937a6dda90f0e

SHA256
f5732e20244ffadb7e7167e5a2d72a3dd92a73aae1d6d7ddb34afb2e3f1a692b

SHA512
4fa508e6907b1e4c213b8eba99f097779741f99d49ff47ed30c0deaa297b8bfe21d8a4c6d652c36a78067c9b610777a932524e20549b992de0b2d8b31470401a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552921.exe

Filesize
230KB

MD5
75decab59f935628ce78b29751f381bf

SHA1
01287bb4456e3fc7b9ba7e12f0e937a6dda90f0e

SHA256
f5732e20244ffadb7e7167e5a2d72a3dd92a73aae1d6d7ddb34afb2e3f1a692b

SHA512
4fa508e6907b1e4c213b8eba99f097779741f99d49ff47ed30c0deaa297b8bfe21d8a4c6d652c36a78067c9b610777a932524e20549b992de0b2d8b31470401a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552968.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552968.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240553000.exe

Filesize
183KB

MD5
4067c1b6ded89c07c4a04a332707d62e

SHA1
e595e0c80872f9e3f7ab086e3adaf7b6dcac3d2b

SHA256
dec33b8c827d52434d64d861044f112d30e13b2498a6f05780f4b3947d85ee35

SHA512
06e5aba3e1bc215385516dedde1863e0066fb8bd0e06a6060502507bb91d9632ff61338c0b48eef1d4dbbf77b09e7660f1bd20d06584d2cae23a82edc28a4c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240553000.exe

Filesize
183KB

MD5
4067c1b6ded89c07c4a04a332707d62e

SHA1
e595e0c80872f9e3f7ab086e3adaf7b6dcac3d2b

SHA256
dec33b8c827d52434d64d861044f112d30e13b2498a6f05780f4b3947d85ee35

SHA512
06e5aba3e1bc215385516dedde1863e0066fb8bd0e06a6060502507bb91d9632ff61338c0b48eef1d4dbbf77b09e7660f1bd20d06584d2cae23a82edc28a4c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240553078.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240553078.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240553156.exe

Filesize
136KB

MD5
a5eb7c64ace01784ed52688ecb97d2ca

SHA1
662dd1ed923d2e3c8b657126644d7416118c79ac

SHA256
4e404547a75ce8cd2f401444cafa55a83ad8b8b0cd2fdc9bee32633a16e69a56

SHA512
339a9eedb18f7b94d482b0930663e0603d415fe3523968f41e7883a12bf1face6aa8695e7fab1b1b3c10c019a7bdb0deb1a26d90478dab5cf8dd5206e8842d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240553156.exe

Filesize
136KB

MD5
a5eb7c64ace01784ed52688ecb97d2ca

SHA1
662dd1ed923d2e3c8b657126644d7416118c79ac

SHA256
4e404547a75ce8cd2f401444cafa55a83ad8b8b0cd2fdc9bee32633a16e69a56

SHA512
339a9eedb18f7b94d482b0930663e0603d415fe3523968f41e7883a12bf1face6aa8695e7fab1b1b3c10c019a7bdb0deb1a26d90478dab5cf8dd5206e8842d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240553187.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240553187.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240553265.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240553406.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240553406.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240553500.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240553640.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240553640.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240553812.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554015.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554015.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554046.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554203.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554203.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554218.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554375.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554375.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
209KB

MD5
5551c796739dc08bca075f9fd0fafbc0

SHA1
5d273e4bd700a994b5d7e1cb7a5f6171ad89e06d

SHA256
e0f3ab5c5d4dcc843226df0af746a284d81d09ca4cf94e480e58ee382090b6b9

SHA512
55e33c192202766dbc9102ac09fe6a8c95e60b3fd65553193f5edc574ec01cdc9504ca428b4ca42f72e23ce26ab132c740227eb40be1dd6ac45661e8cd8f8a1f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
209KB

MD5
5551c796739dc08bca075f9fd0fafbc0

SHA1
5d273e4bd700a994b5d7e1cb7a5f6171ad89e06d

SHA256
e0f3ab5c5d4dcc843226df0af746a284d81d09ca4cf94e480e58ee382090b6b9

SHA512
55e33c192202766dbc9102ac09fe6a8c95e60b3fd65553193f5edc574ec01cdc9504ca428b4ca42f72e23ce26ab132c740227eb40be1dd6ac45661e8cd8f8a1f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
209KB

MD5
5551c796739dc08bca075f9fd0fafbc0

SHA1
5d273e4bd700a994b5d7e1cb7a5f6171ad89e06d

SHA256
e0f3ab5c5d4dcc843226df0af746a284d81d09ca4cf94e480e58ee382090b6b9

SHA512
55e33c192202766dbc9102ac09fe6a8c95e60b3fd65553193f5edc574ec01cdc9504ca428b4ca42f72e23ce26ab132c740227eb40be1dd6ac45661e8cd8f8a1f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
209KB

MD5
5551c796739dc08bca075f9fd0fafbc0

SHA1
5d273e4bd700a994b5d7e1cb7a5f6171ad89e06d

SHA256
e0f3ab5c5d4dcc843226df0af746a284d81d09ca4cf94e480e58ee382090b6b9

SHA512
55e33c192202766dbc9102ac09fe6a8c95e60b3fd65553193f5edc574ec01cdc9504ca428b4ca42f72e23ce26ab132c740227eb40be1dd6ac45661e8cd8f8a1f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
209KB

MD5
5551c796739dc08bca075f9fd0fafbc0

SHA1
5d273e4bd700a994b5d7e1cb7a5f6171ad89e06d

SHA256
e0f3ab5c5d4dcc843226df0af746a284d81d09ca4cf94e480e58ee382090b6b9

SHA512
55e33c192202766dbc9102ac09fe6a8c95e60b3fd65553193f5edc574ec01cdc9504ca428b4ca42f72e23ce26ab132c740227eb40be1dd6ac45661e8cd8f8a1f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
209KB

MD5
5551c796739dc08bca075f9fd0fafbc0

SHA1
5d273e4bd700a994b5d7e1cb7a5f6171ad89e06d

SHA256
e0f3ab5c5d4dcc843226df0af746a284d81d09ca4cf94e480e58ee382090b6b9

SHA512
55e33c192202766dbc9102ac09fe6a8c95e60b3fd65553193f5edc574ec01cdc9504ca428b4ca42f72e23ce26ab132c740227eb40be1dd6ac45661e8cd8f8a1f

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
209KB

MD5
5551c796739dc08bca075f9fd0fafbc0

SHA1
5d273e4bd700a994b5d7e1cb7a5f6171ad89e06d

SHA256
e0f3ab5c5d4dcc843226df0af746a284d81d09ca4cf94e480e58ee382090b6b9

SHA512
55e33c192202766dbc9102ac09fe6a8c95e60b3fd65553193f5edc574ec01cdc9504ca428b4ca42f72e23ce26ab132c740227eb40be1dd6ac45661e8cd8f8a1f

Download Submit
memory/212-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/212-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/820-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/932-186-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/932-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/980-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1156-248-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1208-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1276-145-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1292-281-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1444-324-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1540-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1540-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1716-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1716-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1800-214-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/1944-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1944-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2028-175-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2204-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2344-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2344-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2576-285-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2656-265-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2720-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2720-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2960-261-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3016-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3528-257-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3564-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3612-212-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3612-215-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3824-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3868-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3868-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3904-303-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3904-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3980-273-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3988-235-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4020-203-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4048-250-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4048-254-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4216-153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4236-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4344-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4344-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4408-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4456-244-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4608-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4732-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4732-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4756-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4784-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4796-225-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4828-193-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4876-142-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4888-168-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4888-161-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4928-160-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4936-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4976-269-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5072-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5072-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5112-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download