0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95

Analysis

max time kernel
143s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2022 21:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95.exe
Size

894KB
MD5

445126b80b7d56640cf32494d52414a0
SHA1

10e26c3a2b44211e9226c5288ed29ff67abfd56c
SHA256

0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95
SHA512

8b75d49eea929e1a04c72569653878b224983d70a79c38f9093469738c66c7a4a97ec4d063dd9c8ff35f542f209fb12a79f5938b1e0a9479d652c9be8269de94
SSDEEP

24576:JRTRQRARkRPRORCRJRcRYRgRJRWRSRmR:JRTRQRARkRPRORCRJRcRYRgRJRWRSRmR

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
984	tmp240564968.exe
1780	tmp240565015.exe
4680	tmp240565093.exe
4908	tmp240565250.exe
4824	tmp240565421.exe
4872	tmp240565484.exe
4504	tmp240565562.exe
2200	tmp240565687.exe
568	tmp240566375.exe
4184	tmp240566484.exe
1452	tmp240566578.exe
4700	tmp240566625.exe
2088	tmp240566750.exe
4388	tmp240566812.exe
5116	tmp240566875.exe
1196	tmp240566890.exe
220	tmp240566984.exe
5036	tmp240567015.exe
2732	tmp240567609.exe
3732	tmp240567625.exe
3508	tmp240567750.exe
1564	tmp240567781.exe
4268	tmp240568453.exe
4460	tmp240568531.exe
2364	tmp240568609.exe
3484	tmp240568640.exe
3632	tmp240568703.exe
1832	tmp240568750.exe
2196	tmp240568843.exe
3884	tmp240568859.exe
3736	tmp240568937.exe
5020	tmp240568953.exe
1912	notpad.exe
1364	tmp240569734.exe
5048	tmp240569750.exe
3568	notpad.exe
4296	tmp240569906.exe
2688	tmp240569921.exe
1020	notpad.exe
4736	tmp240570078.exe
1356	tmp240570109.exe
1952	notpad.exe
2248	tmp240570265.exe
2120	notpad.exe
3388	tmp240570515.exe
2660	tmp240570656.exe
644	tmp240570687.exe
2796	notpad.exe
4468	tmp240570843.exe
4224	notpad.exe
4896	tmp240571359.exe
2640	tmp240570875.exe
2464	tmp240571750.exe
3964	notpad.exe
4692	tmp240581750.exe
1516	tmp240585187.exe
1868	notpad.exe
2388	tmp240585375.exe
4908	notpad.exe
4848	tmp240590578.exe
4772	tmp240590781.exe
4764	tmp240590859.exe
4292	notpad.exe
2200	tmp240591062.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0009000000022e23-136.dat	upx
behavioral2/files/0x0009000000022e23-138.dat	upx
behavioral2/memory/1780-139-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3776-137-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e30-144.dat	upx
behavioral2/memory/1780-146-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e30-145.dat	upx
behavioral2/files/0x0006000000022e34-151.dat	upx
behavioral2/files/0x0006000000022e34-153.dat	upx
behavioral2/memory/4908-152-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4872-157-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e29-160.dat	upx
behavioral2/memory/4872-161-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e29-159.dat	upx
behavioral2/files/0x0006000000022e3d-166.dat	upx
behavioral2/memory/2200-168-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e3d-167.dat	upx
behavioral2/files/0x0006000000022e40-173.dat	upx
behavioral2/files/0x0006000000022e40-175.dat	upx
behavioral2/memory/4184-174-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e46-187.dat	upx
behavioral2/files/0x0006000000022e46-188.dat	upx
behavioral2/memory/1196-193-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4388-189-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e43-182.dat	upx
behavioral2/memory/4700-181-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e43-180.dat	upx
behavioral2/memory/1196-196-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e4c-202.dat	upx
behavioral2/files/0x0006000000022e4f-209.dat	upx
behavioral2/files/0x0006000000022e4c-204.dat	upx
behavioral2/memory/5036-203-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3732-211-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1564-210-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e4f-213.dat	upx
behavioral2/memory/3732-212-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e52-219.dat	upx
behavioral2/memory/4460-227-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3484-234-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3884-247-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e5a-241.dat	upx
behavioral2/memory/1832-240-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e5a-239.dat	upx
behavioral2/memory/1912-253-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1020-261-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1952-267-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2120-269-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2796-272-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2796-276-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3568-257-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4224-277-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e57-233.dat	upx
behavioral2/files/0x0006000000022e57-232.dat	upx
behavioral2/files/0x0006000000022e54-226.dat	upx
behavioral2/files/0x0006000000022e54-225.dat	upx
behavioral2/memory/1564-220-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022e52-218.dat	upx
behavioral2/files/0x0006000000022e49-197.dat	upx
behavioral2/files/0x0006000000022e49-195.dat	upx
behavioral2/memory/4224-279-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3964-281-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3964-284-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1868-286-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1868-290-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240599234.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240598359.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240600781.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240604187.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	notpad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240598765.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240619906.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240570656.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	notpad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240616546.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240621187.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240603593.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240606546.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240619640.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240599062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240602312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240622046.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	notpad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240607937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240602984.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	notpad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	notpad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240620796.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240614125.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240606812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240613406.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240597968.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240602593.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240616984.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240604343.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240599671.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notpad.exe	tmp240599296.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240615531.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240619562.exe
File created	C:\Windows\SysWOW64\notpad.exe	Process not Found
File created	C:\Windows\SysWOW64\notpad.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\fsb.stb	notpad.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240611296.exe
File created	C:\Windows\SysWOW64\notpad.exe	Process not Found
File created	C:\Windows\SysWOW64\notpad.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240599750.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	Process not Found
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240614125.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240600296.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	Process not Found
File created	C:\Windows\SysWOW64\notpad.exe	tmp240620734.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240615531.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	Process not Found
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	Process not Found
File opened for modification	C:\Windows\SysWOW64\fsb.stb	Process not Found
File created	C:\Windows\SysWOW64\notpad.exe-	Process not Found
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	Process not Found
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240600296.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240598953.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240619140.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	Process not Found
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240599750.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240621984.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	Process not Found
File opened for modification	C:\Windows\SysWOW64\fsb.stb	Process not Found
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240595187.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240598765.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240606546.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240608078.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	Process not Found
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240604187.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	Process not Found
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240619343.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	Process not Found
File created	C:\Windows\SysWOW64\notpad.exe-	Process not Found
File created	C:\Windows\SysWOW64\notpad.exe	Process not Found
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240619734.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240606546.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240614375.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	Process not Found
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240620500.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	notpad.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	Process not Found
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240600218.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	Process not Found
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240599671.exe
File created	C:\Windows\SysWOW64\notpad.exe-	Process not Found
File created	C:\Windows\SysWOW64\notpad.exe	Process not Found
File created	C:\Windows\SysWOW64\notpad.exe-	Process not Found
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240613406.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240605140.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	Process not Found
File created	C:\Windows\SysWOW64\notpad.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\fsb.stb	Process not Found
File created	C:\Windows\SysWOW64\notpad.exe	tmp240570265.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240598890.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240600578.exe
File created	C:\Windows\SysWOW64\notpad.exe	Process not Found
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	Process not Found

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1176	5020	WerFault.exe	100

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240571359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240591531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240608218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240621156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240569734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240611750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240569906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240603500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240620734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240604187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240609625.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240598843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240618953.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240619687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240605000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240608484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240620500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240605140.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240611484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240619140.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240602453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	notpad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240570265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3776 wrote to memory of 984	3776	0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95.exe	81
PID 3776 wrote to memory of 984	3776	0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95.exe	81
PID 3776 wrote to memory of 984	3776	0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95.exe	81
PID 3776 wrote to memory of 1780	3776	0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95.exe	82
PID 3776 wrote to memory of 1780	3776	0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95.exe	82
PID 3776 wrote to memory of 1780	3776	0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95.exe	82
PID 1780 wrote to memory of 4680	1780	tmp240565015.exe	83
PID 1780 wrote to memory of 4680	1780	tmp240565015.exe	83
PID 1780 wrote to memory of 4680	1780	tmp240565015.exe	83
PID 1780 wrote to memory of 4908	1780	tmp240565015.exe	84
PID 1780 wrote to memory of 4908	1780	tmp240565015.exe	84
PID 1780 wrote to memory of 4908	1780	tmp240565015.exe	84
PID 4908 wrote to memory of 4824	4908	tmp240565250.exe	85
PID 4908 wrote to memory of 4824	4908	tmp240565250.exe	85
PID 4908 wrote to memory of 4824	4908	tmp240565250.exe	85
PID 4908 wrote to memory of 4872	4908	tmp240565250.exe	86
PID 4908 wrote to memory of 4872	4908	tmp240565250.exe	86
PID 4908 wrote to memory of 4872	4908	tmp240565250.exe	86
PID 4872 wrote to memory of 4504	4872	tmp240565484.exe	87
PID 4872 wrote to memory of 4504	4872	tmp240565484.exe	87
PID 4872 wrote to memory of 4504	4872	tmp240565484.exe	87
PID 4872 wrote to memory of 2200	4872	tmp240565484.exe	88
PID 4872 wrote to memory of 2200	4872	tmp240565484.exe	88
PID 4872 wrote to memory of 2200	4872	tmp240565484.exe	88
PID 2200 wrote to memory of 568	2200	tmp240565687.exe	89
PID 2200 wrote to memory of 568	2200	tmp240565687.exe	89
PID 2200 wrote to memory of 568	2200	tmp240565687.exe	89
PID 2200 wrote to memory of 4184	2200	tmp240565687.exe	90
PID 2200 wrote to memory of 4184	2200	tmp240565687.exe	90
PID 2200 wrote to memory of 4184	2200	tmp240565687.exe	90
PID 4184 wrote to memory of 1452	4184	tmp240566484.exe	91
PID 4184 wrote to memory of 1452	4184	tmp240566484.exe	91
PID 4184 wrote to memory of 1452	4184	tmp240566484.exe	91
PID 4184 wrote to memory of 4700	4184	tmp240566484.exe	135
PID 4184 wrote to memory of 4700	4184	tmp240566484.exe	135
PID 4184 wrote to memory of 4700	4184	tmp240566484.exe	135
PID 4700 wrote to memory of 2088	4700	tmp240566625.exe	92
PID 4700 wrote to memory of 2088	4700	tmp240566625.exe	92
PID 4700 wrote to memory of 2088	4700	tmp240566625.exe	92
PID 4700 wrote to memory of 4388	4700	tmp240566625.exe	96
PID 4700 wrote to memory of 4388	4700	tmp240566625.exe	96
PID 4700 wrote to memory of 4388	4700	tmp240566625.exe	96
PID 4388 wrote to memory of 5116	4388	tmp240566812.exe	95
PID 4388 wrote to memory of 5116	4388	tmp240566812.exe	95
PID 4388 wrote to memory of 5116	4388	tmp240566812.exe	95
PID 4388 wrote to memory of 1196	4388	tmp240566812.exe	94
PID 4388 wrote to memory of 1196	4388	tmp240566812.exe	94
PID 4388 wrote to memory of 1196	4388	tmp240566812.exe	94
PID 1196 wrote to memory of 220	1196	tmp240566890.exe	93
PID 1196 wrote to memory of 220	1196	tmp240566890.exe	93
PID 1196 wrote to memory of 220	1196	tmp240566890.exe	93
PID 1196 wrote to memory of 5036	1196	tmp240566890.exe	134
PID 1196 wrote to memory of 5036	1196	tmp240566890.exe	134
PID 1196 wrote to memory of 5036	1196	tmp240566890.exe	134
PID 5036 wrote to memory of 2732	5036	tmp240567015.exe	133
PID 5036 wrote to memory of 2732	5036	tmp240567015.exe	133
PID 5036 wrote to memory of 2732	5036	tmp240567015.exe	133
PID 5036 wrote to memory of 3732	5036	tmp240567015.exe	99
PID 5036 wrote to memory of 3732	5036	tmp240567015.exe	99
PID 5036 wrote to memory of 3732	5036	tmp240567015.exe	99
PID 3732 wrote to memory of 3508	3732	tmp240567625.exe	98
PID 3732 wrote to memory of 3508	3732	tmp240567625.exe	98
PID 3732 wrote to memory of 3508	3732	tmp240567625.exe	98
PID 3732 wrote to memory of 1564	3732	tmp240567625.exe	97

C:\Users\Admin\AppData\Local\Temp\0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95.exe
"C:\Users\Admin\AppData\Local\Temp\0328599e8552838314b63e7dd614dc8664febda4402d766b9ff15336f806bc95.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Users\Admin\AppData\Local\Temp\tmp240564968.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240564968.exe
  2⤵
  - Executes dropped EXE
  PID:984
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    PID:1912
- C:\Users\Admin\AppData\Local\Temp\tmp240565015.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240565015.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Users\Admin\AppData\Local\Temp\tmp240565093.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240565093.exe
    3⤵
    - Executes dropped EXE
    PID:4680
  - - C:\Users\Admin\AppData\Local\Temp\tmp240604109.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240604109.exe
      4⤵
      PID:3536
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:4764
      - C:\Users\Admin\AppData\Local\Temp\tmp240610218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610218.exe
        6⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610250.exe
        7⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610265.exe
        7⤵
        
        PID:4920
      - C:\Users\Admin\AppData\Local\Temp\tmp240610140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610140.exe
        6⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:428
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596625.exe
        8⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596593.exe
        8⤵
        
        PID:4504
    - - C:\Users\Admin\AppData\Local\Temp\tmp240614406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614406.exe
        5⤵
        
        PID:4088
    - - C:\Users\Admin\AppData\Local\Temp\tmp240614421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614421.exe
        5⤵
        
        PID:8
      - C:\Users\Admin\AppData\Local\Temp\tmp240614453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614453.exe
        6⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618312.exe
        8⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618390.exe
        9⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618406.exe
        9⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608484.exe
        10⤵
        Modifies registry class
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597812.exe
        11⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608468.exe
        10⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618171.exe
        8⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610984.exe
        8⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597531.exe
        9⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610968.exe
        8⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608218.exe
        8⤵
        Modifies registry class
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608203.exe
        8⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597406.exe
        9⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610437.exe
        7⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610375.exe
        7⤵
        
        PID:2172
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602375.exe
        7⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602359.exe
        7⤵
        
        PID:4084
  - - C:\Users\Admin\AppData\Local\Temp\tmp240604078.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240604078.exe
      4⤵
      PID:4912
- - C:\Users\Admin\AppData\Local\Temp\tmp240565250.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240565250.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Users\Admin\AppData\Local\Temp\tmp240565421.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240565421.exe
      4⤵
      Executes dropped EXE
      PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\tmp240565484.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240565484.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4872
    - - C:\Users\Admin\AppData\Local\Temp\tmp240565562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240565562.exe
        5⤵
        Executes dropped EXE
        
        PID:4504
    - - C:\Users\Admin\AppData\Local\Temp\tmp240565687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240565687.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2200
      - C:\Users\Admin\AppData\Local\Temp\tmp240566375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240566375.exe
        6⤵
        Executes dropped EXE
        
        PID:568
      - C:\Users\Admin\AppData\Local\Temp\tmp240566484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240566484.exe
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240566578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240566578.exe
        7⤵
        Executes dropped EXE
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614515.exe
        8⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614796.exe
        9⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240566625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240566625.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4700
- C:\Users\Admin\AppData\Local\Temp\tmp240612171.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240612171.exe
  2⤵
  PID:3964
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:3284
  - - C:\Users\Admin\AppData\Local\Temp\tmp240612281.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240612281.exe
      4⤵
      PID:556
  - - C:\Users\Admin\AppData\Local\Temp\tmp240612343.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240612343.exe
      4⤵
      PID:4896
  - - C:\Users\Admin\AppData\Local\Temp\tmp240599062.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240599062.exe
      4⤵
      Checks computer location settings
      PID:1452
  - - C:\Users\Admin\AppData\Local\Temp\tmp240599046.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240599046.exe
      4⤵
      PID:3480
- C:\Users\Admin\AppData\Local\Temp\tmp240612203.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240612203.exe
  2⤵
  PID:2264

C:\Users\Admin\AppData\Local\Temp\tmp240566750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240566750.exe
1⤵
- Executes dropped EXE
PID:2088

C:\Users\Admin\AppData\Local\Temp\tmp240566984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240566984.exe
1⤵
- Executes dropped EXE
PID:220

C:\Users\Admin\AppData\Local\Temp\tmp240566890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240566890.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Users\Admin\AppData\Local\Temp\tmp240567015.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240567015.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5036

C:\Users\Admin\AppData\Local\Temp\tmp240566875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240566875.exe
1⤵
- Executes dropped EXE
PID:5116

C:\Users\Admin\AppData\Local\Temp\tmp240566812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240566812.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4388

C:\Users\Admin\AppData\Local\Temp\tmp240567781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240567781.exe
1⤵
- Executes dropped EXE
PID:1564
- C:\Users\Admin\AppData\Local\Temp\tmp240568531.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240568531.exe
  2⤵
  - Executes dropped EXE
  PID:4460
- C:\Users\Admin\AppData\Local\Temp\tmp240568453.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240568453.exe
  2⤵
  - Executes dropped EXE
  PID:4268

C:\Users\Admin\AppData\Local\Temp\tmp240567750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240567750.exe
1⤵
- Executes dropped EXE
PID:3508

C:\Users\Admin\AppData\Local\Temp\tmp240567625.exe
C:\Users\Admin\AppData\Local\Temp\tmp240567625.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3732

C:\Users\Admin\AppData\Local\Temp\tmp240568953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240568953.exe
1⤵
- Executes dropped EXE
PID:5020
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 5020 -s 228
  2⤵
  - Program crash
  PID:1176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 5020 -ip 5020
1⤵
PID:4792
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:3872
- - C:\Users\Admin\AppData\Local\Temp\tmp240597921.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240597921.exe
    3⤵
    PID:2068

C:\Users\Admin\AppData\Local\Temp\tmp240568937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240568937.exe
1⤵
- Executes dropped EXE
PID:3736

C:\Users\Admin\AppData\Local\Temp\tmp240569750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240569750.exe
1⤵
- Executes dropped EXE
PID:5048

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:1952
- C:\Users\Admin\AppData\Local\Temp\tmp240570265.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240570265.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  PID:2248
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    PID:2120
  - - C:\Users\Admin\AppData\Local\Temp\tmp240570656.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240570656.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      PID:2660
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        
        PID:2796
      - C:\Users\Admin\AppData\Local\Temp\tmp240570875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570875.exe
        6⤵
        Executes dropped EXE
        
        PID:2640
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:4436
  - - C:\Users\Admin\AppData\Local\Temp\tmp240570687.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240570687.exe
      4⤵
      Executes dropped EXE
      PID:644
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:2272
- C:\Users\Admin\AppData\Local\Temp\tmp240570515.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240570515.exe
  2⤵
  - Executes dropped EXE
  PID:3388
- C:\Users\Admin\AppData\Local\Temp\tmp240613765.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240613765.exe
  2⤵
  PID:4468
- - C:\Users\Admin\AppData\Local\Temp\tmp240613781.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240613781.exe
    3⤵
    PID:2072

C:\Users\Admin\AppData\Local\Temp\tmp240570109.exe
C:\Users\Admin\AppData\Local\Temp\tmp240570109.exe
1⤵
- Executes dropped EXE
PID:1356

C:\Users\Admin\AppData\Local\Temp\tmp240570843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240570843.exe
1⤵
- Executes dropped EXE
PID:4468
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  PID:4224
- - C:\Users\Admin\AppData\Local\Temp\tmp240571359.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240571359.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:4896
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      PID:3964
    - - C:\Users\Admin\AppData\Local\Temp\tmp240581750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240581750.exe
        5⤵
        Executes dropped EXE
        
        PID:4692
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240585375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240585375.exe
        7⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590781.exe
        9⤵
        Executes dropped EXE
        
        PID:4772
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        Executes dropped EXE
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591062.exe
        11⤵
        Executes dropped EXE
        
        PID:2200
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591328.exe
        13⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591531.exe
        15⤵
        Modifies registry class
        
        PID:2652
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591656.exe
        17⤵
        
        PID:220
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591921.exe
        19⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592171.exe
        21⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592328.exe
        23⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602718.exe
        24⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592203.exe
        21⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606328.exe
        20⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606312.exe
        20⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592031.exe
        19⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591750.exe
        17⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597046.exe
        17⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591546.exe
        15⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616031.exe
        15⤵
        
        PID:4700
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616218.exe
        17⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616234.exe
        18⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616265.exe
        18⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616312.exe
        19⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616343.exe
        20⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616390.exe
        20⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612937.exe
        21⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606406.exe
        22⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604484.exe
        21⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604468.exe
        21⤵
        
        PID:3496
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616296.exe
        19⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602312.exe
        21⤵
        Checks computer location settings
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614375.exe
        18⤵
        Drops file in System32 directory
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616203.exe
        17⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616453.exe
        19⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616484.exe
        20⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616703.exe
        22⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616718.exe
        22⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616828.exe
        23⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616843.exe
        23⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616921.exe
        24⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616968.exe
        24⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616984.exe
        25⤵
        Checks computer location settings
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617000.exe
        25⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613796.exe
        24⤵
        
        PID:2232
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607984.exe
        21⤵
        
        PID:308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599312.exe
        22⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599296.exe
        22⤵
        Drops file in System32 directory
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607968.exe
        21⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616578.exe
        20⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616640.exe
        21⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616734.exe
        23⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617062.exe
        25⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617296.exe
        26⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617531.exe
        28⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617546.exe
        28⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617640.exe
        29⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617828.exe
        31⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614500.exe
        32⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617875.exe
        31⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618109.exe
        32⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618296.exe
        32⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618406.exe
        33⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608390.exe
        34⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608375.exe
        34⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618437.exe
        33⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618453.exe
        34⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618656.exe
        36⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607062.exe
        37⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600359.exe
        37⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600328.exe
        37⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618671.exe
        36⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618734.exe
        37⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618843.exe
        38⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618906.exe
        39⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618921.exe
        39⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618828.exe
        38⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611796.exe
        39⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618718.exe
        37⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        38⤵
        
        PID:720
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613312.exe
        36⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618484.exe
        34⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612906.exe
        34⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608453.exe
        33⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617781.exe
        29⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617796.exe
        30⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617812.exe
        30⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617859.exe
        31⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618265.exe
        31⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602656.exe
        33⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602640.exe
        33⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614359.exe
        30⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        Checks computer location settings
        
        PID:376
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596375.exe
        29⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596156.exe
        29⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614140.exe
        27⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617421.exe
        26⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605000.exe
        24⤵
        Modifies registry class
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617015.exe
        23⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605593.exe
        24⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616671.exe
        21⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614921.exe
        22⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617109.exe
        22⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617093.exe
        22⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613968.exe
        23⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607593.exe
        24⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607578.exe
        24⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613953.exe
        23⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611406.exe
        21⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604593.exe
        19⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599578.exe
        20⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610718.exe
        17⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599500.exe
        17⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599484.exe
        17⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608125.exe
        17⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608109.exe
        17⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591359.exe
        13⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591140.exe
        11⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590859.exe
        9⤵
        Executes dropped EXE
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605843.exe
        8⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590578.exe
        7⤵
        Executes dropped EXE
        
        PID:4848
    - - C:\Users\Admin\AppData\Local\Temp\tmp240585187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240585187.exe
        5⤵
        Executes dropped EXE
        
        PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\tmp240612703.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240612703.exe
      4⤵
      PID:3444
    - - C:\Users\Admin\AppData\Local\Temp\tmp240612812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612812.exe
        5⤵
        
        PID:456
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:216
    - - C:\Users\Admin\AppData\Local\Temp\tmp240612843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612843.exe
        5⤵
        
        PID:308
- - C:\Users\Admin\AppData\Local\Temp\tmp240571750.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240571750.exe
    3⤵
    - Executes dropped EXE
    PID:2464

C:\Users\Admin\AppData\Local\Temp\tmp240570078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240570078.exe
1⤵
- Executes dropped EXE
PID:4736

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:1020

C:\Users\Admin\AppData\Local\Temp\tmp240569921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240569921.exe
1⤵
- Executes dropped EXE
PID:2688

C:\Users\Admin\AppData\Local\Temp\tmp240569906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240569906.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:4296

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:3568

C:\Users\Admin\AppData\Local\Temp\tmp240569734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240569734.exe
1⤵
- Executes dropped EXE
- Modifies registry class
PID:1364

C:\Users\Admin\AppData\Local\Temp\tmp240568859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240568859.exe
1⤵
- Executes dropped EXE
PID:3884

C:\Users\Admin\AppData\Local\Temp\tmp240568843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240568843.exe
1⤵
- Executes dropped EXE
PID:2196

C:\Users\Admin\AppData\Local\Temp\tmp240568750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240568750.exe
1⤵
- Executes dropped EXE
PID:1832

C:\Users\Admin\AppData\Local\Temp\tmp240568703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240568703.exe
1⤵
- Executes dropped EXE
PID:3632

C:\Users\Admin\AppData\Local\Temp\tmp240568640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240568640.exe
1⤵
- Executes dropped EXE
PID:3484

C:\Users\Admin\AppData\Local\Temp\tmp240568609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240568609.exe
1⤵
- Executes dropped EXE
PID:2364

C:\Users\Admin\AppData\Local\Temp\tmp240567609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240567609.exe
1⤵
- Executes dropped EXE
PID:2732

C:\Users\Admin\AppData\Local\Temp\tmp240592296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240592296.exe
1⤵
PID:2364
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:5004
- - C:\Users\Admin\AppData\Local\Temp\tmp240592500.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240592500.exe
    3⤵
    PID:1104
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1572
    - - C:\Users\Admin\AppData\Local\Temp\tmp240592765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592765.exe
        5⤵
        
        PID:3184
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592968.exe
        7⤵
        
        PID:828
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593140.exe
        9⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593921.exe
        11⤵
        
        PID:1356
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594437.exe
        13⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594593.exe
        15⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594781.exe
        17⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594984.exe
        19⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595187.exe
        21⤵
        Drops file in System32 directory
        
        PID:4280
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609843.exe
        23⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609875.exe
        23⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595250.exe
        21⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598453.exe
        20⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598656.exe
        22⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598703.exe
        23⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614250.exe
        23⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614328.exe
        23⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615984.exe
        24⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612125.exe
        22⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614015.exe
        23⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614078.exe
        23⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614093.exe
        24⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:4608
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595093.exe
        19⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605562.exe
        19⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605609.exe
        20⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617031.exe
        20⤵
        
        PID:736
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617156.exe
        22⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617187.exe
        23⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617437.exe
        23⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617125.exe
        22⤵
        
        PID:400
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607218.exe
        23⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617046.exe
        20⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617203.exe
        21⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617218.exe
        21⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617312.exe
        22⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612250.exe
        23⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596421.exe
        24⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596406.exe
        24⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612234.exe
        23⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617328.exe
        22⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605546.exe
        19⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594843.exe
        17⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600593.exe
        17⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611859.exe
        18⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611843.exe
        18⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594609.exe
        15⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600375.exe
        15⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609546.exe
        15⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607359.exe
        16⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609609.exe
        15⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615296.exe
        15⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615312.exe
        15⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594453.exe
        13⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594296.exe
        11⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603218.exe
        11⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603234.exe
        11⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608640.exe
        10⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608609.exe
        10⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593781.exe
        9⤵
        
        PID:1548
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605140.exe
        11⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605125.exe
        11⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603156.exe
        11⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592984.exe
        7⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611437.exe
        8⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611546.exe
        9⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611656.exe
        10⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609406.exe
        11⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609375.exe
        11⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607125.exe
        12⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607109.exe
        12⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611484.exe
        9⤵
        Modifies registry class
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608437.exe
        7⤵
        
        PID:4560
    - - C:\Users\Admin\AppData\Local\Temp\tmp240592812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592812.exe
        5⤵
        
        PID:972
      - C:\Users\Admin\AppData\Local\Temp\tmp240618484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618484.exe
        6⤵
        
        PID:4644
      - C:\Users\Admin\AppData\Local\Temp\tmp240618515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618515.exe
        6⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618546.exe
        7⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618562.exe
        7⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618593.exe
        8⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618750.exe
        10⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        Checks computer location settings
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618765.exe
        10⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618875.exe
        11⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618859.exe
        11⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618953.exe
        13⤵
        Modifies registry class
        
        PID:4216
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619140.exe
        15⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619250.exe
        17⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619406.exe
        19⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619531.exe
        20⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619718.exe
        22⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620234.exe
        24⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620375.exe
        25⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620421.exe
        26⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620453.exe
        26⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620500.exe
        27⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620515.exe
        27⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620343.exe
        25⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619734.exe
        22⤵
        Drops file in System32 directory
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619765.exe
        23⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619781.exe
        23⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619828.exe
        24⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619890.exe
        24⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620140.exe
        25⤵
        
        PID:1156
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620015.exe
        25⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597421.exe
        25⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619671.exe
        20⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619687.exe
        21⤵
        Modifies registry class
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619812.exe
        21⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619906.exe
        22⤵
        Checks computer location settings
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619984.exe
        22⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619390.exe
        19⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619562.exe
        21⤵
        Drops file in System32 directory
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619578.exe
        21⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619609.exe
        22⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619640.exe
        22⤵
        Checks computer location settings
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604203.exe
        23⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604187.exe
        23⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619843.exe
        23⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619859.exe
        23⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619921.exe
        24⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620062.exe
        24⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597640.exe
        25⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597000.exe
        22⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596984.exe
        22⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607500.exe
        18⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619343.exe
        17⤵
        Drops file in System32 directory
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619359.exe
        18⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619375.exe
        18⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619500.exe
        19⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606171.exe
        20⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619546.exe
        19⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619593.exe
        20⤵
        
        PID:2364
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619203.exe
        15⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619218.exe
        16⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609656.exe
        17⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598468.exe
        19⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609625.exe
        17⤵
        Modifies registry class
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619234.exe
        16⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619281.exe
        17⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600546.exe
        18⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619296.exe
        17⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619328.exe
        18⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619453.exe
        18⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602109.exe
        19⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605687.exe
        16⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619015.exe
        13⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619046.exe
        14⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619078.exe
        15⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619171.exe
        16⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619156.exe
        16⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619062.exe
        15⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605468.exe
        16⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605453.exe
        16⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598359.exe
        16⤵
        Checks computer location settings
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598343.exe
        16⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619031.exe
        14⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611828.exe
        14⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611750.exe
        14⤵
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605171.exe
        15⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        Modifies registry class
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603781.exe
        14⤵
        
        PID:4224
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607937.exe
        10⤵
        Checks computer location settings
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607906.exe
        10⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618609.exe
        8⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618640.exe
        9⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618703.exe
        9⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607828.exe
        10⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599109.exe
        11⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599078.exe
        11⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607812.exe
        10⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600296.exe
        9⤵
        Drops file in System32 directory
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613031.exe
        7⤵
        
        PID:2512
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:1164
      - C:\Users\Admin\AppData\Local\Temp\tmp240603000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603000.exe
        6⤵
        
        PID:672
      - C:\Users\Admin\AppData\Local\Temp\tmp240602984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602984.exe
        6⤵
        Checks computer location settings
        
        PID:4092
- - C:\Users\Admin\AppData\Local\Temp\tmp240592609.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240592609.exe
    3⤵
    PID:1808
- C:\Users\Admin\AppData\Local\Temp\tmp240597578.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240597578.exe
  2⤵
  PID:4024
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:2668
  - - C:\Users\Admin\AppData\Local\Temp\tmp240604890.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240604890.exe
      4⤵
      PID:2792
    - - C:\Users\Admin\AppData\Local\Temp\tmp240604921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604921.exe
        5⤵
        
        PID:1364
    - - C:\Users\Admin\AppData\Local\Temp\tmp240604906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604906.exe
        5⤵
        
        PID:4048
  - - C:\Users\Admin\AppData\Local\Temp\tmp240604875.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240604875.exe
      4⤵
      PID:3888
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:3872
  - - C:\Users\Admin\AppData\Local\Temp\tmp240599796.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240599796.exe
      4⤵
      PID:1808
- C:\Users\Admin\AppData\Local\Temp\tmp240597593.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240597593.exe
  2⤵
  PID:4672
- - C:\Users\Admin\AppData\Local\Temp\tmp240597671.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240597671.exe
    3⤵
    PID:3172

C:\Users\Admin\AppData\Local\Temp\tmp240595375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240595375.exe
1⤵
PID:4440
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:3920
- - C:\Users\Admin\AppData\Local\Temp\tmp240595906.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240595906.exe
    3⤵
    PID:1516
  - - C:\Users\Admin\AppData\Local\Temp\tmp240600968.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240600968.exe
      4⤵
      PID:488
  - - C:\Users\Admin\AppData\Local\Temp\tmp240600984.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240600984.exe
      4⤵
      PID:4820
- - C:\Users\Admin\AppData\Local\Temp\tmp240595546.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240595546.exe
    3⤵
    PID:3964
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1252
    - - C:\Users\Admin\AppData\Local\Temp\tmp240598921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598921.exe
        5⤵
        
        PID:4904
    - - C:\Users\Admin\AppData\Local\Temp\tmp240598890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598890.exe
        5⤵
        Drops file in System32 directory
        
        PID:4500
- C:\Users\Admin\AppData\Local\Temp\tmp240600843.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240600843.exe
  2⤵
  PID:4484
- C:\Users\Admin\AppData\Local\Temp\tmp240600875.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240600875.exe
  2⤵
  PID:4368

C:\Users\Admin\AppData\Local\Temp\tmp240595437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240595437.exe
1⤵
PID:3216

C:\Users\Admin\AppData\Local\Temp\tmp240596562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240596562.exe
1⤵
PID:428

C:\Users\Admin\AppData\Local\Temp\tmp240596687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240596687.exe
1⤵
PID:4312
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\tmp240596859.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240596859.exe
    3⤵
    PID:536
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:4852
    - - C:\Users\Admin\AppData\Local\Temp\tmp240597062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597062.exe
        5⤵
        
        PID:220
  - - C:\Users\Admin\AppData\Local\Temp\tmp240614468.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240614468.exe
      4⤵
      PID:2172
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:4400
      - C:\Users\Admin\AppData\Local\Temp\tmp240614562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614562.exe
        6⤵
        
        PID:440
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614812.exe
        8⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614875.exe
        9⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604812.exe
        10⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604796.exe
        10⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602906.exe
        11⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602875.exe
        11⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614890.exe
        9⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615000.exe
        10⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615062.exe
        11⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615046.exe
        11⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614671.exe
        8⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:3164
      - C:\Users\Admin\AppData\Local\Temp\tmp240614609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614609.exe
        6⤵
        
        PID:4672
  - - C:\Users\Admin\AppData\Local\Temp\tmp240614484.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240614484.exe
      4⤵
      PID:2088
    - - C:\Users\Admin\AppData\Local\Temp\tmp240614531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614531.exe
        5⤵
        
        PID:4852
      - C:\Users\Admin\AppData\Local\Temp\tmp240610656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610656.exe
        6⤵
        
        PID:440
    - - C:\Users\Admin\AppData\Local\Temp\tmp240614546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614546.exe
        5⤵
        
        PID:4740
      - C:\Users\Admin\AppData\Local\Temp\tmp240614750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614750.exe
        6⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614828.exe
        7⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613250.exe
        8⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611109.exe
        9⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615234.exe
        7⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:3484
- - C:\Users\Admin\AppData\Local\Temp\tmp240596906.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240596906.exe
    3⤵
    PID:4656

C:\Users\Admin\AppData\Local\Temp\tmp240596718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240596718.exe
1⤵
PID:3412
- C:\Users\Admin\AppData\Local\Temp\tmp240596796.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240596796.exe
  2⤵
  PID:4700
- C:\Users\Admin\AppData\Local\Temp\tmp240596781.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240596781.exe
  2⤵
  PID:1804

C:\Users\Admin\AppData\Local\Temp\tmp240597218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597218.exe
1⤵
PID:5100

C:\Users\Admin\AppData\Local\Temp\tmp240597281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597281.exe
1⤵
PID:3328
- C:\Users\Admin\AppData\Local\Temp\tmp240597390.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240597390.exe
  2⤵
  PID:1576
- - C:\Users\Admin\AppData\Local\Temp\tmp240604703.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240604703.exe
    3⤵
    PID:3692

C:\Users\Admin\AppData\Local\Temp\tmp240597468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597468.exe
1⤵
PID:4460
- C:\Users\Admin\AppData\Local\Temp\tmp240597515.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240597515.exe
  2⤵
  PID:2512
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1880

C:\Users\Admin\AppData\Local\Temp\tmp240597718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597718.exe
1⤵
PID:3888
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1912
- - C:\Users\Admin\AppData\Local\Temp\tmp240605015.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240605015.exe
    3⤵
    PID:1028
  - - C:\Users\Admin\AppData\Local\Temp\tmp240613546.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240613546.exe
      4⤵
      PID:2280
    - - C:\Users\Admin\AppData\Local\Temp\tmp240613578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613578.exe
        5⤵
        
        PID:1132
      - C:\Users\Admin\AppData\Local\Temp\tmp240613625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613625.exe
        6⤵
        
        PID:2896
      - C:\Users\Admin\AppData\Local\Temp\tmp240613609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613609.exe
        6⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603265.exe
        8⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Drops file in System32 directory
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603250.exe
        8⤵
        
        PID:1132
    - - C:\Users\Admin\AppData\Local\Temp\tmp240613562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613562.exe
        5⤵
        
        PID:716
    - - C:\Users\Admin\AppData\Local\Temp\tmp240603109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603109.exe
        5⤵
        
        PID:696
      - C:\Users\Admin\AppData\Local\Temp\tmp240598046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598046.exe
        6⤵
        
        PID:1236
    - - C:\Users\Admin\AppData\Local\Temp\tmp240603093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603093.exe
        5⤵
        
        PID:2548
  - - C:\Users\Admin\AppData\Local\Temp\tmp240613531.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240613531.exe
      4⤵
      PID:2004
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:1236
  - - C:\Users\Admin\AppData\Local\Temp\tmp240616906.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240616906.exe
      4⤵
      PID:1296
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:4464
    - - C:\Users\Admin\AppData\Local\Temp\tmp240611890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611890.exe
        5⤵
        
        PID:1824
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:2272

C:\Users\Admin\AppData\Local\Temp\tmp240597734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597734.exe
1⤵
PID:3184
- C:\Users\Admin\AppData\Local\Temp\tmp240597781.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240597781.exe
  2⤵
  PID:1232

C:\Users\Admin\AppData\Local\Temp\tmp240597906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597906.exe
1⤵
PID:2308
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:696
- - C:\Users\Admin\AppData\Local\Temp\tmp240598062.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240598062.exe
    3⤵
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\tmp240615265.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240615265.exe
      4⤵
      PID:1468
  - - C:\Users\Admin\AppData\Local\Temp\tmp240615281.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240615281.exe
      4⤵
      PID:1736
- - C:\Users\Admin\AppData\Local\Temp\tmp240603125.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240603125.exe
    3⤵
    PID:2044
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:2544
    - - C:\Users\Admin\AppData\Local\Temp\tmp240607078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607078.exe
        5⤵
        
        PID:4780
- C:\Users\Admin\AppData\Local\Temp\tmp240606937.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240606937.exe
  2⤵
  PID:1620
- - C:\Users\Admin\AppData\Local\Temp\tmp240611578.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240611578.exe
    3⤵
    PID:1548
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1296
    - - C:\Users\Admin\AppData\Local\Temp\tmp240607234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607234.exe
        5⤵
        
        PID:3616
- - C:\Users\Admin\AppData\Local\Temp\tmp240611640.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240611640.exe
    3⤵
    PID:5056
- C:\Users\Admin\AppData\Local\Temp\tmp240606921.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240606921.exe
  2⤵
  PID:2044

C:\Users\Admin\AppData\Local\Temp\tmp240597984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597984.exe
1⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\tmp240598312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598312.exe
1⤵
PID:4624

C:\Users\Admin\AppData\Local\Temp\tmp240598781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598781.exe
1⤵
PID:2404
- C:\Users\Admin\AppData\Local\Temp\tmp240598828.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240598828.exe
  2⤵
  PID:1168
- C:\Users\Admin\AppData\Local\Temp\tmp240598843.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240598843.exe
  2⤵
  - Modifies registry class
  PID:3996

C:\Users\Admin\AppData\Local\Temp\tmp240599171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599171.exe
1⤵
PID:4932
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:308

C:\Users\Admin\AppData\Local\Temp\tmp240599343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599343.exe
1⤵
PID:700

C:\Users\Admin\AppData\Local\Temp\tmp240599359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599359.exe
1⤵
PID:3768

C:\Users\Admin\AppData\Local\Temp\tmp240599453.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599453.exe
1⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\tmp240599609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599609.exe
1⤵
PID:3660
- C:\Users\Admin\AppData\Local\Temp\tmp240602765.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240602765.exe
  2⤵
  PID:3484
- - C:\Users\Admin\AppData\Local\Temp\tmp240606562.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240606562.exe
    3⤵
    PID:3456
  - - C:\Users\Admin\AppData\Local\Temp\tmp240606593.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240606593.exe
      4⤵
      PID:5012
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:3180
    - - C:\Users\Admin\AppData\Local\Temp\tmp240602734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602734.exe
        5⤵
        
        PID:3660
      - C:\Users\Admin\AppData\Local\Temp\tmp240599671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599671.exe
        6⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2512
      - C:\Users\Admin\AppData\Local\Temp\tmp240599640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599640.exe
        6⤵
        
        PID:3488
  - - C:\Users\Admin\AppData\Local\Temp\tmp240606578.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240606578.exe
      4⤵
      PID:4392
- - C:\Users\Admin\AppData\Local\Temp\tmp240606546.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240606546.exe
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    PID:3688
- C:\Users\Admin\AppData\Local\Temp\tmp240602781.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240602781.exe
  2⤵
  PID:3692
- - C:\Users\Admin\AppData\Local\Temp\tmp240599750.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240599750.exe
    3⤵
    - Drops file in System32 directory
    PID:1104

C:\Users\Admin\AppData\Local\Temp\tmp240599765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599765.exe
1⤵
PID:2668
- C:\Users\Admin\AppData\Local\Temp\tmp240599828.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240599828.exe
  2⤵
  PID:3140

C:\Users\Admin\AppData\Local\Temp\tmp240599937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599937.exe
1⤵
PID:4272
- C:\Users\Admin\AppData\Local\Temp\tmp240613281.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240613281.exe
  2⤵
  PID:4344

C:\Users\Admin\AppData\Local\Temp\tmp240600093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600093.exe
1⤵
PID:2412
- C:\Users\Admin\AppData\Local\Temp\tmp240600140.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240600140.exe
  2⤵
  PID:1216
- C:\Users\Admin\AppData\Local\Temp\tmp240600125.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240600125.exe
  2⤵
  PID:2688

C:\Users\Admin\AppData\Local\Temp\tmp240600234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600234.exe
1⤵
PID:4736
- C:\Users\Admin\AppData\Local\Temp\tmp240600281.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240600281.exe
  2⤵
  PID:2612

C:\Users\Admin\AppData\Local\Temp\tmp240600531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600531.exe
1⤵
PID:2140
- C:\Users\Admin\AppData\Local\Temp\tmp240609687.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240609687.exe
  2⤵
  PID:1988
- C:\Users\Admin\AppData\Local\Temp\tmp240609703.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240609703.exe
  2⤵
  PID:4464

C:\Users\Admin\AppData\Local\Temp\tmp240600703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600703.exe
1⤵
PID:4164

C:\Users\Admin\AppData\Local\Temp\tmp240600921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600921.exe
1⤵
PID:4692
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:3996

C:\Users\Admin\AppData\Local\Temp\tmp240601046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240601046.exe
1⤵
PID:4856
- C:\Users\Admin\AppData\Local\Temp\tmp240601093.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240601093.exe
  2⤵
  PID:4848
- C:\Users\Admin\AppData\Local\Temp\tmp240601078.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240601078.exe
  2⤵
  PID:4908
- C:\Users\Admin\AppData\Local\Temp\tmp240605890.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240605890.exe
  2⤵
  PID:4908
- - C:\Users\Admin\AppData\Local\Temp\tmp240615921.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240615921.exe
    3⤵
    PID:1508
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:4640
    - - C:\Users\Admin\AppData\Local\Temp\tmp240616046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616046.exe
        5⤵
        
        PID:1860
      - C:\Users\Admin\AppData\Local\Temp\tmp240616062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616062.exe
        6⤵
        
        PID:2680
      - C:\Users\Admin\AppData\Local\Temp\tmp240616093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616093.exe
        6⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604718.exe
        7⤵
        
        PID:2212
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:3012
- C:\Users\Admin\AppData\Local\Temp\tmp240605875.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240605875.exe
  2⤵
  PID:4904
- - C:\Users\Admin\AppData\Local\Temp\tmp240598968.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240598968.exe
    3⤵
    PID:3672
- - C:\Users\Admin\AppData\Local\Temp\tmp240598953.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240598953.exe
    3⤵
    - Drops file in System32 directory
    PID:3536

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:568
- C:\Users\Admin\AppData\Local\Temp\tmp240601140.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240601140.exe
  2⤵
  PID:428
- C:\Users\Admin\AppData\Local\Temp\tmp240605968.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240605968.exe
  2⤵
  PID:2040
- - C:\Users\Admin\AppData\Local\Temp\tmp240606000.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240606000.exe
    3⤵
    PID:4184
  - - C:\Users\Admin\AppData\Local\Temp\tmp240612750.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240612750.exe
      4⤵
      PID:4920
  - - C:\Users\Admin\AppData\Local\Temp\tmp240612718.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240612718.exe
      4⤵
      PID:1864
- - C:\Users\Admin\AppData\Local\Temp\tmp240605984.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240605984.exe
    3⤵
    PID:2092
- C:\Users\Admin\AppData\Local\Temp\tmp240605953.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240605953.exe
  2⤵
  PID:4704
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:3584

C:\Users\Admin\AppData\Local\Temp\tmp240601015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240601015.exe
1⤵
PID:5040

C:\Users\Admin\AppData\Local\Temp\tmp240600937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600937.exe
1⤵
PID:1516

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:4052

C:\Users\Admin\AppData\Local\Temp\tmp240600781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600781.exe
1⤵
- Checks computer location settings
PID:4440

C:\Users\Admin\AppData\Local\Temp\tmp240600765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600765.exe
1⤵
PID:4604

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:5064

C:\Users\Admin\AppData\Local\Temp\tmp240602343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240602343.exe
1⤵
PID:3204
- C:\Users\Admin\AppData\Local\Temp\tmp240604437.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240604437.exe
  2⤵
  PID:4684

C:\Users\Admin\AppData\Local\Temp\tmp240602468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240602468.exe
1⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\tmp240602609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240602609.exe
1⤵
PID:4000
- C:\Users\Admin\AppData\Local\Temp\tmp240604656.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240604656.exe
  2⤵
  PID:5012
- - C:\Users\Admin\AppData\Local\Temp\tmp240611125.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240611125.exe
    3⤵
    PID:4404
- C:\Users\Admin\AppData\Local\Temp\tmp240604671.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240604671.exe
  2⤵
  PID:1576
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:2364

C:\Users\Admin\AppData\Local\Temp\tmp240602859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240602859.exe
1⤵
PID:4192
- C:\Users\Admin\AppData\Local\Temp\tmp240606718.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240606718.exe
  2⤵
  PID:4884
- C:\Users\Admin\AppData\Local\Temp\tmp240606687.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240606687.exe
  2⤵
  PID:972

C:\Users\Admin\AppData\Local\Temp\tmp240603015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240603015.exe
1⤵
PID:2792

C:\Users\Admin\AppData\Local\Temp\tmp240603031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240603031.exe
1⤵
PID:3340

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:2280

C:\Users\Admin\AppData\Local\Temp\tmp240603359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240603359.exe
1⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\tmp240603375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240603375.exe
1⤵
PID:3812
- C:\Users\Admin\AppData\Local\Temp\tmp240605421.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240605421.exe
  2⤵
  PID:4008
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:4556
  - - C:\Users\Admin\AppData\Local\Temp\tmp240598531.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240598531.exe
      4⤵
      PID:5008
  - - C:\Users\Admin\AppData\Local\Temp\tmp240598500.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240598500.exe
      4⤵
      PID:3508
- C:\Users\Admin\AppData\Local\Temp\tmp240605437.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240605437.exe
  2⤵
  PID:4624

C:\Users\Admin\AppData\Local\Temp\tmp240603484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240603484.exe
1⤵
PID:3492
- C:\Users\Admin\AppData\Local\Temp\tmp240603515.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240603515.exe
  2⤵
  PID:3176
- C:\Users\Admin\AppData\Local\Temp\tmp240603500.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240603500.exe
  2⤵
  - Modifies registry class
  PID:64

C:\Users\Admin\AppData\Local\Temp\tmp240603593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240603593.exe
1⤵
- Checks computer location settings
PID:2828
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:3948

C:\Users\Admin\AppData\Local\Temp\tmp240603750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240603750.exe
1⤵
PID:4652
- C:\Users\Admin\AppData\Local\Temp\tmp240603796.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240603796.exe
  2⤵
  PID:4448
- C:\Users\Admin\AppData\Local\Temp\tmp240605671.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240605671.exe
  2⤵
  PID:2492
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:3956
- - C:\Users\Admin\AppData\Local\Temp\tmp240614125.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240614125.exe
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    PID:5040
- - C:\Users\Admin\AppData\Local\Temp\tmp240614203.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240614203.exe
    3⤵
    PID:3928
  - - C:\Users\Admin\AppData\Local\Temp\tmp240614312.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240614312.exe
      4⤵
      PID:4944
  - - C:\Users\Admin\AppData\Local\Temp\tmp240616000.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240616000.exe
      4⤵
      PID:4920

C:\Users\Admin\AppData\Local\Temp\tmp240603890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240603890.exe
1⤵
PID:3956

C:\Users\Admin\AppData\Local\Temp\tmp240604046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240604046.exe
1⤵
PID:4824
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:4284
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:4492
  - - C:\Users\Admin\AppData\Local\Temp\tmp240604359.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240604359.exe
      4⤵
      PID:2604
  - - C:\Users\Admin\AppData\Local\Temp\tmp240604343.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240604343.exe
      4⤵
      Checks computer location settings
      PID:1688

C:\Users\Admin\AppData\Local\Temp\tmp240604218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240604218.exe
1⤵
PID:2040

C:\Users\Admin\AppData\Local\Temp\tmp240604234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240604234.exe
1⤵
PID:4184

C:\Users\Admin\AppData\Local\Temp\tmp240604296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240604296.exe
1⤵
PID:8
- C:\Users\Admin\AppData\Local\Temp\tmp240614437.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240614437.exe
  2⤵
  PID:3444

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:116
- C:\Users\Admin\AppData\Local\Temp\tmp240604562.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240604562.exe
  2⤵
  PID:4196
- - C:\Users\Admin\AppData\Local\Temp\tmp240604609.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240604609.exe
    3⤵
    PID:3328
- - C:\Users\Admin\AppData\Local\Temp\tmp240616328.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240616328.exe
    3⤵
    PID:2196
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1156
    - - C:\Users\Admin\AppData\Local\Temp\tmp240616515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616515.exe
        5⤵
        
        PID:2316
      - C:\Users\Admin\AppData\Local\Temp\tmp240616546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616546.exe
        6⤵
        Checks computer location settings
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614671.exe
        7⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:4644
      - C:\Users\Admin\AppData\Local\Temp\tmp240616562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616562.exe
        6⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616656.exe
        7⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616890.exe
        8⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606968.exe
        10⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605062.exe
        11⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605046.exe
        11⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606953.exe
        10⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616875.exe
        8⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611281.exe
        9⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602843.exe
        10⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620156.exe
        9⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620546.exe
        11⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620796.exe
        13⤵
        Checks computer location settings
        
        PID:2832
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621093.exe
        15⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621421.exe
        17⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621750.exe
        19⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622046.exe
        21⤵
        Checks computer location settings
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622109.exe
        21⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622140.exe
        22⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621781.exe
        19⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621843.exe
        20⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621906.exe
        21⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621921.exe
        21⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621953.exe
        22⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621984.exe
        22⤵
        Drops file in System32 directory
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621812.exe
        20⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621437.exe
        17⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621468.exe
        18⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621484.exe
        18⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621515.exe
        19⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621531.exe
        19⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621609.exe
        20⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621625.exe
        20⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621109.exe
        15⤵
        
        PID:1088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621156.exe
        16⤵
        Modifies registry class
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621187.exe
        16⤵
        Checks computer location settings
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621234.exe
        17⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621250.exe
        17⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621296.exe
        18⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621312.exe
        18⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620812.exe
        13⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620843.exe
        14⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620859.exe
        14⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620906.exe
        15⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620968.exe
        16⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620984.exe
        16⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620890.exe
        15⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620578.exe
        11⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620609.exe
        12⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620640.exe
        12⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620656.exe
        13⤵
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620703.exe
        13⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620734.exe
        14⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620765.exe
        14⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616625.exe
        7⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611421.exe
        8⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611390.exe
        8⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606875.exe
        7⤵
        
        PID:1232
      - C:\Users\Admin\AppData\Local\Temp\tmp240599921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599921.exe
        6⤵
        
        PID:1340
- C:\Users\Admin\AppData\Local\Temp\tmp240606421.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240606421.exe
  2⤵
  PID:4324
- - C:\Users\Admin\AppData\Local\Temp\tmp240606453.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240606453.exe
    3⤵
    PID:3164
  - - C:\Users\Admin\AppData\Local\Temp\tmp240610828.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240610828.exe
      4⤵
      PID:3328
  - - C:\Users\Admin\AppData\Local\Temp\tmp240610796.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240610796.exe
      4⤵
      PID:2156
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:4236
- - C:\Users\Admin\AppData\Local\Temp\tmp240606484.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240606484.exe
    3⤵
    PID:4268

C:\Users\Admin\AppData\Local\Temp\tmp240604765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240604765.exe
1⤵
PID:4884

C:\Users\Admin\AppData\Local\Temp\tmp240605156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240605156.exe
1⤵
PID:1292

C:\Users\Admin\AppData\Local\Temp\tmp240605328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240605328.exe
1⤵
PID:3256
- C:\Users\Admin\AppData\Local\Temp\tmp240605375.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240605375.exe
  2⤵
  PID:2272
- - C:\Users\Admin\AppData\Local\Temp\tmp240598296.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240598296.exe
    3⤵
    PID:2660
- C:\Users\Admin\AppData\Local\Temp\tmp240605359.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240605359.exe
  2⤵
  PID:1960

C:\Users\Admin\AppData\Local\Temp\tmp240605718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240605718.exe
1⤵
PID:4980
- C:\Users\Admin\AppData\Local\Temp\tmp240607625.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240607625.exe
  2⤵
  PID:2492

C:\Users\Admin\AppData\Local\Temp\tmp240606140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606140.exe
1⤵
PID:2680
- C:\Users\Admin\AppData\Local\Temp\tmp240606187.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240606187.exe
  2⤵
  PID:4700

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3204
- C:\Users\Admin\AppData\Local\Temp\tmp240606281.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240606281.exe
  2⤵
  PID:3496
- C:\Users\Admin\AppData\Local\Temp\tmp240606265.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240606265.exe
  2⤵
  PID:2752
- C:\Users\Admin\AppData\Local\Temp\tmp240604421.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240604421.exe
  2⤵
  PID:1860
- - C:\Users\Admin\AppData\Local\Temp\tmp240619703.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240619703.exe
    3⤵
    PID:224
- - C:\Users\Admin\AppData\Local\Temp\tmp240602453.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240602453.exe
    3⤵
    - Modifies registry class
    PID:1512

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3140
- C:\Users\Admin\AppData\Local\Temp\tmp240606671.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240606671.exe
  2⤵
  PID:4192
- C:\Users\Admin\AppData\Local\Temp\tmp240606656.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240606656.exe
  2⤵
  PID:4148

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:4048
- C:\Users\Admin\AppData\Local\Temp\tmp240606828.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240606828.exe
  2⤵
  PID:4748
- C:\Users\Admin\AppData\Local\Temp\tmp240606812.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240606812.exe
  2⤵
  - Checks computer location settings
  PID:5044

C:\Users\Admin\AppData\Local\Temp\tmp240606843.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606843.exe
1⤵
PID:1364
- C:\Users\Admin\AppData\Local\Temp\tmp240608562.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240608562.exe
  2⤵
  PID:1912
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:4844
- C:\Users\Admin\AppData\Local\Temp\tmp240608578.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240608578.exe
  2⤵
  PID:2836

C:\Users\Admin\AppData\Local\Temp\tmp240607187.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607187.exe
1⤵
PID:2340

C:\Users\Admin\AppData\Local\Temp\tmp240607250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607250.exe
1⤵
PID:2232
- C:\Users\Admin\AppData\Local\Temp\tmp240613812.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240613812.exe
  2⤵
  PID:2340

C:\Users\Admin\AppData\Local\Temp\tmp240607343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607343.exe
1⤵
PID:3460
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:2012
- - C:\Users\Admin\AppData\Local\Temp\tmp240607468.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240607468.exe
    3⤵
    PID:4916
- - C:\Users\Admin\AppData\Local\Temp\tmp240607453.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240607453.exe
    3⤵
    PID:3748
- - C:\Users\Admin\AppData\Local\Temp\tmp240603656.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240603656.exe
    3⤵
    PID:1988
- - C:\Users\Admin\AppData\Local\Temp\tmp240603640.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240603640.exe
    3⤵
    PID:4728

C:\Users\Admin\AppData\Local\Temp\tmp240607515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607515.exe
1⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\tmp240607703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607703.exe
1⤵
PID:1128
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:628
- - C:\Users\Admin\AppData\Local\Temp\tmp240612890.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240612890.exe
    3⤵
    PID:3584
  - - C:\Users\Admin\AppData\Local\Temp\tmp240610546.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240610546.exe
      4⤵
      PID:764
- - C:\Users\Admin\AppData\Local\Temp\tmp240612875.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240612875.exe
    3⤵
    PID:5116
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Drops file in System32 directory
      PID:1860

C:\Users\Admin\AppData\Local\Temp\tmp240607750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607750.exe
1⤵
PID:4044

C:\Users\Admin\AppData\Local\Temp\tmp240608093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240608093.exe
1⤵
PID:4852
- C:\Users\Admin\AppData\Local\Temp\tmp240610687.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240610687.exe
  2⤵
  PID:1644
- - C:\Users\Admin\AppData\Local\Temp\tmp240610734.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240610734.exe
    3⤵
    PID:3732

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3328

C:\Users\Admin\AppData\Local\Temp\tmp240608328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240608328.exe
1⤵
PID:1664

C:\Users\Admin\AppData\Local\Temp\tmp240608718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240608718.exe
1⤵
PID:3112
- C:\Users\Admin\AppData\Local\Temp\tmp240608750.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240608750.exe
  2⤵
  PID:4288
- C:\Users\Admin\AppData\Local\Temp\tmp240608734.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240608734.exe
  2⤵
  PID:3192
- - C:\Users\Admin\AppData\Local\Temp\tmp240615328.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240615328.exe
    3⤵
    PID:736
- - C:\Users\Admin\AppData\Local\Temp\tmp240615500.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240615500.exe
    3⤵
    PID:1952
  - - C:\Users\Admin\AppData\Local\Temp\tmp240615531.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240615531.exe
      4⤵
      Drops file in System32 directory
      PID:2340
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:2420
  - - C:\Users\Admin\AppData\Local\Temp\tmp240615546.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240615546.exe
      4⤵
      PID:2232
    - - C:\Users\Admin\AppData\Local\Temp\tmp240615656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615656.exe
        5⤵
        
        PID:2272
      - C:\Users\Admin\AppData\Local\Temp\tmp240613843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613843.exe
        6⤵
        
        PID:812
    - - C:\Users\Admin\AppData\Local\Temp\tmp240615640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615640.exe
        5⤵
        
        PID:3464
    - - C:\Users\Admin\AppData\Local\Temp\tmp240613828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613828.exe
        5⤵
        
        PID:3476
      - C:\Users\Admin\AppData\Local\Temp\tmp240600671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600671.exe
        6⤵
        
        PID:3500
      - C:\Users\Admin\AppData\Local\Temp\tmp240600640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600640.exe
        6⤵
        
        PID:2584
  - - C:\Users\Admin\AppData\Local\Temp\tmp240613750.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240613750.exe
      4⤵
      PID:760
- C:\Users\Admin\AppData\Local\Temp\tmp240615250.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240615250.exe
  2⤵
  PID:400
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:3460
  - - C:\Users\Admin\AppData\Local\Temp\tmp240600578.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240600578.exe
      4⤵
      Drops file in System32 directory
      PID:4200
- C:\Users\Admin\AppData\Local\Temp\tmp240615453.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240615453.exe
  2⤵
  PID:2248
- - C:\Users\Admin\AppData\Local\Temp\tmp240615515.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240615515.exe
    3⤵
    PID:4112
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:4916
    - - C:\Users\Admin\AppData\Local\Temp\tmp240615765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615765.exe
        5⤵
        
        PID:2652
      - C:\Users\Admin\AppData\Local\Temp\tmp240615796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615796.exe
        6⤵
        
        PID:5052
      - C:\Users\Admin\AppData\Local\Temp\tmp240615781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615781.exe
        6⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:4804
  - - C:\Users\Admin\AppData\Local\Temp\tmp240603468.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240603468.exe
      4⤵
      PID:4200
- - C:\Users\Admin\AppData\Local\Temp\tmp240615562.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240615562.exe
    3⤵
    PID:5096
  - - C:\Users\Admin\AppData\Local\Temp\tmp240613984.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240613984.exe
      4⤵
      PID:1224
    - - C:\Users\Admin\AppData\Local\Temp\tmp240598718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598718.exe
        5⤵
        
        PID:4896
  - - C:\Users\Admin\AppData\Local\Temp\tmp240613953.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240613953.exe
      4⤵
      PID:4652
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:2272
  - - C:\Users\Admin\AppData\Local\Temp\tmp240609500.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240609500.exe
      4⤵
      PID:1736
    - - C:\Users\Admin\AppData\Local\Temp\tmp240600390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600390.exe
        5⤵
        
        PID:2120
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:2232
- - C:\Users\Admin\AppData\Local\Temp\tmp240598171.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240598171.exe
    3⤵
    PID:3708
- - C:\Users\Admin\AppData\Local\Temp\tmp240598156.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240598156.exe
    3⤵
    PID:1824

C:\Users\Admin\AppData\Local\Temp\tmp240608703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240608703.exe
1⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\tmp240609484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240609484.exe
1⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\tmp240609781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240609781.exe
1⤵
PID:4880

C:\Users\Admin\AppData\Local\Temp\tmp240609968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240609968.exe
1⤵
PID:4980
- C:\Users\Admin\AppData\Local\Temp\tmp240610031.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240610031.exe
  2⤵
  PID:3284
- C:\Users\Admin\AppData\Local\Temp\tmp240610046.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240610046.exe
  2⤵
  PID:4044

C:\Users\Admin\AppData\Local\Temp\tmp240610531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610531.exe
1⤵
PID:4700

C:\Users\Admin\AppData\Local\Temp\tmp240610578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610578.exe
1⤵
PID:4644
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\tmp240613078.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240613078.exe
    3⤵
    PID:3808
  - - C:\Users\Admin\AppData\Local\Temp\tmp240613093.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240613093.exe
      4⤵
      PID:1852
  - - C:\Users\Admin\AppData\Local\Temp\tmp240613234.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240613234.exe
      4⤵
      PID:4272
    - - C:\Users\Admin\AppData\Local\Temp\tmp240599968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599968.exe
        5⤵
        
        PID:1364
    - - C:\Users\Admin\AppData\Local\Temp\tmp240599953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599953.exe
        5⤵
        
        PID:828
- - C:\Users\Admin\AppData\Local\Temp\tmp240613062.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240613062.exe
    3⤵
    PID:4784

C:\Users\Admin\AppData\Local\Temp\tmp240610593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610593.exe
1⤵
PID:1860

C:\Users\Admin\AppData\Local\Temp\tmp240611296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240611296.exe
1⤵
- Drops file in System32 directory
PID:4560
- C:\Users\Admin\AppData\Local\Temp\tmp240611343.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240611343.exe
  2⤵
  PID:4296
- C:\Users\Admin\AppData\Local\Temp\tmp240611359.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240611359.exe
  2⤵
  PID:1216
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1364

C:\Users\Admin\AppData\Local\Temp\tmp240611875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240611875.exe
1⤵
PID:64
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:3948
- - C:\Users\Admin\AppData\Local\Temp\tmp240603734.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240603734.exe
    3⤵
    PID:4648

C:\Users\Admin\AppData\Local\Temp\tmp240612062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240612062.exe
1⤵
PID:2808
- C:\Users\Admin\AppData\Local\Temp\tmp240612093.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240612093.exe
  2⤵
  PID:3848
- - C:\Users\Admin\AppData\Local\Temp\tmp240598593.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240598593.exe
    3⤵
    PID:3032
- C:\Users\Admin\AppData\Local\Temp\tmp240612078.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240612078.exe
  2⤵
  PID:1284

C:\Users\Admin\AppData\Local\Temp\tmp240612296.exe
C:\Users\Admin\AppData\Local\Temp\tmp240612296.exe
1⤵
PID:4980
- C:\Users\Admin\AppData\Local\Temp\tmp240617515.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240617515.exe
  2⤵
  PID:4084
- - C:\Users\Admin\AppData\Local\Temp\tmp240617562.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240617562.exe
    3⤵
    PID:2172
- - C:\Users\Admin\AppData\Local\Temp\tmp240617578.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240617578.exe
    3⤵
    PID:3768
- C:\Users\Admin\AppData\Local\Temp\tmp240617500.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240617500.exe
  2⤵
  PID:4264
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Modifies registry class
    PID:4992
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:628
    - - C:\Users\Admin\AppData\Local\Temp\tmp240610359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610359.exe
        5⤵
        
        PID:1452
      - C:\Users\Admin\AppData\Local\Temp\tmp240607875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607875.exe
        6⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599250.exe
        7⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599234.exe
        7⤵
        Checks computer location settings
        
        PID:4312
      - C:\Users\Admin\AppData\Local\Temp\tmp240607859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607859.exe
        6⤵
        
        PID:364
    - - C:\Users\Admin\AppData\Local\Temp\tmp240610343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610343.exe
        5⤵
        
        PID:2088
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:4756
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:3536

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:2092
- C:\Users\Admin\AppData\Local\Temp\tmp240612390.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240612390.exe
  2⤵
  PID:4992
- C:\Users\Admin\AppData\Local\Temp\tmp240612671.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240612671.exe
  2⤵
  PID:4184

C:\Users\Admin\AppData\Local\Temp\tmp240612312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240612312.exe
1⤵
PID:3996

C:\Users\Admin\AppData\Local\Temp\tmp240612921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240612921.exe
1⤵
PID:4684
- C:\Users\Admin\AppData\Local\Temp\tmp240612953.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240612953.exe
  2⤵
  PID:2732
- - C:\Users\Admin\AppData\Local\Temp\tmp240613000.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240613000.exe
    3⤵
    PID:3384
  - - C:\Users\Admin\AppData\Local\Temp\tmp240608250.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240608250.exe
      4⤵
      PID:3488
  - - C:\Users\Admin\AppData\Local\Temp\tmp240608234.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240608234.exe
      4⤵
      PID:4476
- - C:\Users\Admin\AppData\Local\Temp\tmp240612984.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240612984.exe
    3⤵
    PID:2000

C:\Users\Admin\AppData\Local\Temp\tmp240613125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240613125.exe
1⤵
PID:4460
- C:\Users\Admin\AppData\Local\Temp\tmp240613140.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240613140.exe
  2⤵
  PID:4204
- - C:\Users\Admin\AppData\Local\Temp\tmp240608312.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240608312.exe
    3⤵
    PID:1672
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Checks computer location settings
      Drops file in System32 directory
      PID:2312
- C:\Users\Admin\AppData\Local\Temp\tmp240613156.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240613156.exe
  2⤵
  PID:1808

C:\Users\Admin\AppData\Local\Temp\tmp240613328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240613328.exe
1⤵
PID:4524
- C:\Users\Admin\AppData\Local\Temp\tmp240613421.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240613421.exe
  2⤵
  PID:3100
- - C:\Users\Admin\AppData\Local\Temp\tmp240613468.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240613468.exe
    3⤵
    PID:1700
- - C:\Users\Admin\AppData\Local\Temp\tmp240613437.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240613437.exe
    3⤵
    PID:5020
- C:\Users\Admin\AppData\Local\Temp\tmp240613406.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240613406.exe
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  PID:928
- C:\Users\Admin\AppData\Local\Temp\tmp240600078.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240600078.exe
  2⤵
  PID:3424

C:\Users\Admin\AppData\Local\Temp\tmp240613703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240613703.exe
1⤵
PID:2248

C:\Users\Admin\AppData\Local\Temp\tmp240613859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240613859.exe
1⤵
PID:4164
- C:\Users\Admin\AppData\Local\Temp\tmp240613890.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240613890.exe
  2⤵
  PID:5096
- - C:\Users\Admin\AppData\Local\Temp\tmp240607421.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240607421.exe
    3⤵
    PID:1988
- - C:\Users\Admin\AppData\Local\Temp\tmp240607406.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240607406.exe
    3⤵
    PID:64
- C:\Users\Admin\AppData\Local\Temp\tmp240613875.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240613875.exe
  2⤵
  PID:4648

C:\Users\Admin\AppData\Local\Temp\tmp240614578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614578.exe
1⤵
PID:1940
- C:\Users\Admin\AppData\Local\Temp\tmp240614921.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240614921.exe
  2⤵
  PID:1880
- C:\Users\Admin\AppData\Local\Temp\tmp240614593.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240614593.exe
  2⤵
  PID:3764

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:5012
- C:\Users\Admin\AppData\Local\Temp\tmp240614968.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240614968.exe
  2⤵
  PID:5044
- - C:\Users\Admin\AppData\Local\Temp\tmp240615156.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240615156.exe
    3⤵
    PID:1624
  - - C:\Users\Admin\AppData\Local\Temp\tmp240598109.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240598109.exe
      4⤵
      PID:5060
  - - C:\Users\Admin\AppData\Local\Temp\tmp240598093.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240598093.exe
      4⤵
      PID:4288
- C:\Users\Admin\AppData\Local\Temp\tmp240614953.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240614953.exe
  2⤵
  PID:2952
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:2952

C:\Users\Admin\AppData\Local\Temp\tmp240614984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614984.exe
1⤵
PID:2068
- C:\Users\Admin\AppData\Local\Temp\tmp240597968.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240597968.exe
  2⤵
  - Checks computer location settings
  PID:3424

C:\Users\Admin\AppData\Local\Temp\tmp240615093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615093.exe
1⤵
PID:1292
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:3192

C:\Users\Admin\AppData\Local\Temp\tmp240615703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615703.exe
1⤵
PID:4652
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1856

C:\Users\Admin\AppData\Local\Temp\tmp240615734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615734.exe
1⤵
PID:2208

C:\Users\Admin\AppData\Local\Temp\tmp240615734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615734.exe
1⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\tmp240615828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615828.exe
1⤵
PID:2388
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:4908
- C:\Users\Admin\AppData\Local\Temp\tmp240605859.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240605859.exe
  2⤵
  PID:4856

C:\Users\Admin\AppData\Local\Temp\tmp240615875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615875.exe
1⤵
PID:1884
- C:\Users\Admin\AppData\Local\Temp\tmp240615890.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240615890.exe
  2⤵
  PID:3848
- - C:\Users\Admin\AppData\Local\Temp\tmp240612140.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240612140.exe
    3⤵
    PID:4032
- C:\Users\Admin\AppData\Local\Temp\tmp240615906.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240615906.exe
  2⤵
  PID:4896
- - C:\Users\Admin\AppData\Local\Temp\tmp240616156.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240616156.exe
    3⤵
    PID:428
  - - C:\Users\Admin\AppData\Local\Temp\tmp240616390.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240616390.exe
      4⤵
      PID:4672
    - - C:\Users\Admin\AppData\Local\Temp\tmp240614656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614656.exe
        5⤵
        
        PID:3384
  - - C:\Users\Admin\AppData\Local\Temp\tmp240616421.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240616421.exe
      4⤵
      PID:1572
- - C:\Users\Admin\AppData\Local\Temp\tmp240612625.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240612625.exe
    3⤵
    PID:4756
  - - C:\Users\Admin\AppData\Local\Temp\tmp240604312.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240604312.exe
      4⤵
      PID:4492

C:\Users\Admin\AppData\Local\Temp\tmp240615859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615859.exe
1⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\tmp240615968.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615968.exe
1⤵
PID:3928
- C:\Users\Admin\AppData\Local\Temp\tmp240616015.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240616015.exe
  2⤵
  PID:1128

C:\Users\Admin\AppData\Local\Temp\tmp240615218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615218.exe
1⤵
PID:3112

C:\Users\Admin\AppData\Local\Temp\tmp240615203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615203.exe
1⤵
PID:3276

C:\Users\Admin\AppData\Local\Temp\tmp240616500.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616500.exe
1⤵
PID:2380
- C:\Users\Admin\AppData\Local\Temp\tmp240614671.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240614671.exe
  2⤵
  PID:904

C:\Users\Admin\AppData\Local\Temp\tmp240615140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615140.exe
1⤵
PID:1960

C:\Users\Admin\AppData\Local\Temp\tmp240617359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617359.exe
1⤵
PID:2140
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:3776

C:\Users\Admin\AppData\Local\Temp\tmp240617375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240617375.exe
1⤵
PID:4704

C:\Users\Admin\AppData\Local\Temp\tmp240614171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614171.exe
1⤵
PID:1584

C:\Users\Admin\AppData\Local\Temp\tmp240614156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240614156.exe
1⤵
PID:4980
- C:\Users\Admin\AppData\Local\Temp\tmp240607609.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240607609.exe
  2⤵
  PID:1168

C:\Users\Admin\AppData\Local\Temp\tmp240613734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240613734.exe
1⤵
PID:1952
- C:\Users\Admin\AppData\Local\Temp\tmp240609343.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240609343.exe
  2⤵
  PID:5060
- C:\Users\Admin\AppData\Local\Temp\tmp240609328.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240609328.exe
  2⤵
  PID:644

C:\Users\Admin\AppData\Local\Temp\tmp240612046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240612046.exe
1⤵
PID:2140

C:\Users\Admin\AppData\Local\Temp\tmp240611078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240611078.exe
1⤵
PID:5012

C:\Users\Admin\AppData\Local\Temp\tmp240611062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240611062.exe
1⤵
PID:4596

C:\Users\Admin\AppData\Local\Temp\tmp240609921.exe
C:\Users\Admin\AppData\Local\Temp\tmp240609921.exe
1⤵
PID:3536

C:\Users\Admin\AppData\Local\Temp\tmp240609796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240609796.exe
1⤵
PID:3748
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:2208

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:4204

C:\Users\Admin\AppData\Local\Temp\tmp240608078.exe
C:\Users\Admin\AppData\Local\Temp\tmp240608078.exe
1⤵
- Drops file in System32 directory
PID:3764

C:\Users\Admin\AppData\Local\Temp\tmp240607765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607765.exe
1⤵
PID:1884
- C:\Users\Admin\AppData\Local\Temp\tmp240599187.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240599187.exe
  2⤵
  PID:1864

C:\Users\Admin\AppData\Local\Temp\tmp240607718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240607718.exe
1⤵
PID:4776

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3380
- C:\Users\Admin\AppData\Local\Temp\tmp240604062.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240604062.exe
  2⤵
  PID:4680

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:116
- C:\Users\Admin\AppData\Local\Temp\tmp240604546.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240604546.exe
  2⤵
  PID:3624
- - C:\Users\Admin\AppData\Local\Temp\tmp240602593.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240602593.exe
    3⤵
    - Checks computer location settings
    PID:1212
- C:\Users\Admin\AppData\Local\Temp\tmp240602531.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240602531.exe
  2⤵
  PID:4644
- C:\Users\Admin\AppData\Local\Temp\tmp240602500.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240602500.exe
  2⤵
  PID:4212
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:3804

C:\Users\Admin\AppData\Local\Temp\tmp240606125.exe
C:\Users\Admin\AppData\Local\Temp\tmp240606125.exe
1⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\tmp240605781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240605781.exe
1⤵
PID:3104
- C:\Users\Admin\AppData\Local\Temp\tmp240603968.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240603968.exe
  2⤵
  PID:488
- C:\Users\Admin\AppData\Local\Temp\tmp240603937.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240603937.exe
  2⤵
  PID:2208

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3812
- C:\Users\Admin\AppData\Local\Temp\tmp240603421.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240603421.exe
  2⤵
  PID:3388
- C:\Users\Admin\AppData\Local\Temp\tmp240603406.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240603406.exe
  2⤵
  PID:2072

C:\Users\Admin\AppData\Local\Temp\tmp240605312.exe
C:\Users\Admin\AppData\Local\Temp\tmp240605312.exe
1⤵
PID:1276

C:\Users\Admin\AppData\Local\Temp\tmp240604750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240604750.exe
1⤵
PID:4024
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:4132

C:\Users\Admin\AppData\Local\Temp\tmp240603906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240603906.exe
1⤵
PID:3104

C:\Users\Admin\AppData\Local\Temp\tmp240603609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240603609.exe
1⤵
PID:2012

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:4708

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3624

C:\Users\Admin\AppData\Local\Temp\tmp240602281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240602281.exe
1⤵
PID:2304

C:\Users\Admin\AppData\Local\Temp\tmp240602265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240602265.exe
1⤵
PID:4292

C:\Users\Admin\AppData\Local\Temp\tmp240600718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600718.exe
1⤵
PID:3052

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:2152

C:\Users\Admin\AppData\Local\Temp\tmp240600218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240600218.exe
1⤵
- Drops file in System32 directory
PID:4300

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:4524

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:1972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:220
- C:\Users\Admin\AppData\Local\Temp\tmp240597187.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240597187.exe
  2⤵
  PID:3600
- C:\Users\Admin\AppData\Local\Temp\tmp240597171.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240597171.exe
  2⤵
  PID:2380

C:\Users\Admin\AppData\Local\Temp\tmp240599437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599437.exe
1⤵
PID:920

C:\Users\Admin\AppData\Local\Temp\tmp240598765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598765.exe
1⤵
- Checks computer location settings
- Drops file in System32 directory
PID:3956

C:\Users\Admin\AppData\Local\Temp\tmp240598218.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598218.exe
1⤵
PID:2120

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe ccbeaf50e1259956446a776306684d5a mjWAivSSKE6BCvLdHnUgIw.0.1.0.0.0
1⤵
PID:1892

C:\Users\Admin\AppData\Local\Temp\tmp240598203.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598203.exe
1⤵
PID:4228

C:\Users\Admin\AppData\Local\Temp\tmp240596546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240596546.exe
1⤵
PID:4704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240564968.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240564968.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240565015.exe

Filesize
845KB

MD5
d6c8dba712f5216cf8d6e35242b129c2

SHA1
28583d9e798b0385fd5d17a6c21ddfd263a578b9

SHA256
4e15a611565e96ec554163913be3d2fa67092545ca60d2138af75cf9760481f9

SHA512
646c1ccc498db3b4deec775cc24752278406920e963caa224e73253fa36a0590c959eb4782edee0bcca4a1272a5bcf0d987f0ac6607c2e0e0bac8816e3d87fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240565015.exe

Filesize
845KB

MD5
d6c8dba712f5216cf8d6e35242b129c2

SHA1
28583d9e798b0385fd5d17a6c21ddfd263a578b9

SHA256
4e15a611565e96ec554163913be3d2fa67092545ca60d2138af75cf9760481f9

SHA512
646c1ccc498db3b4deec775cc24752278406920e963caa224e73253fa36a0590c959eb4782edee0bcca4a1272a5bcf0d987f0ac6607c2e0e0bac8816e3d87fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240565093.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240565093.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240565250.exe

Filesize
798KB

MD5
e7401631b31d723653d0493cb1f1eff5

SHA1
6c75aab0376d290df966f79d6dd29586fb9c15e6

SHA256
0fa7e2e0f9cd0eb9a7aa98304159839e12d10a6815e7b3361f9cd2f0e71430c8

SHA512
5f590a12a9353d71464d71f443b252eb6155561599151fb4dff62cfdaec9ef4335c268cb9898f21c0a12520a57f50e965afaae97c0fd3fffbe8e00d22fad24b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240565250.exe

Filesize
798KB

MD5
e7401631b31d723653d0493cb1f1eff5

SHA1
6c75aab0376d290df966f79d6dd29586fb9c15e6

SHA256
0fa7e2e0f9cd0eb9a7aa98304159839e12d10a6815e7b3361f9cd2f0e71430c8

SHA512
5f590a12a9353d71464d71f443b252eb6155561599151fb4dff62cfdaec9ef4335c268cb9898f21c0a12520a57f50e965afaae97c0fd3fffbe8e00d22fad24b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240565421.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240565421.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240565484.exe

Filesize
751KB

MD5
cb49497963ab471099d0123a5666ffd3

SHA1
bd19420b676ae0ab7173f407345a0803e47bb6fb

SHA256
2b0304c2b4f1ca70dcad915843808162e71da277dd990ad6f8e878d5ee66eb36

SHA512
2a4d0efca9d2aecf533027dc045e39f9ac65b94803340c0bf6ec5aa5b6139e6033cde24af965da7e6f7c83152c27964f3642a0568e8aef8f3d053be3faa51d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240565484.exe

Filesize
751KB

MD5
cb49497963ab471099d0123a5666ffd3

SHA1
bd19420b676ae0ab7173f407345a0803e47bb6fb

SHA256
2b0304c2b4f1ca70dcad915843808162e71da277dd990ad6f8e878d5ee66eb36

SHA512
2a4d0efca9d2aecf533027dc045e39f9ac65b94803340c0bf6ec5aa5b6139e6033cde24af965da7e6f7c83152c27964f3642a0568e8aef8f3d053be3faa51d81

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240565562.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240565562.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240565687.exe

Filesize
703KB

MD5
d11fd74203a551b8b1ec3b88630dbf9c

SHA1
eb93ac596cdf1682c193efb4a3ac048749e02e56

SHA256
b154bacad2e789577a602befb024d20bdff928884bb618fb2ad018c088530dac

SHA512
84f811677f36dc2301ad0783bf0858081f41c4862245586bf14d1952e9821cea1e9b05e41719429ff7817d91943e90b46142f1c1632f823084e3ae43ef112887

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240565687.exe

Filesize
703KB

MD5
d11fd74203a551b8b1ec3b88630dbf9c

SHA1
eb93ac596cdf1682c193efb4a3ac048749e02e56

SHA256
b154bacad2e789577a602befb024d20bdff928884bb618fb2ad018c088530dac

SHA512
84f811677f36dc2301ad0783bf0858081f41c4862245586bf14d1952e9821cea1e9b05e41719429ff7817d91943e90b46142f1c1632f823084e3ae43ef112887

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240566375.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240566375.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240566484.exe

Filesize
656KB

MD5
6acf911eb3af129b2e240fb0fca3da63

SHA1
93d43471e0d88898d65eae3e04cd2433297116a9

SHA256
1149b821e91a8a05d75b2ae09fde34943feb2136df7be20fb02331154c44ed50

SHA512
fb9419696c14c9f1799ac452b87452c43d066dc633726ab851f87bc42b24e3c66425f4cf6ef686929eb7aea1f5ff8cfa36cfb932e0637f026d2df4a9cc7712f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240566484.exe

Filesize
656KB

MD5
6acf911eb3af129b2e240fb0fca3da63

SHA1
93d43471e0d88898d65eae3e04cd2433297116a9

SHA256
1149b821e91a8a05d75b2ae09fde34943feb2136df7be20fb02331154c44ed50

SHA512
fb9419696c14c9f1799ac452b87452c43d066dc633726ab851f87bc42b24e3c66425f4cf6ef686929eb7aea1f5ff8cfa36cfb932e0637f026d2df4a9cc7712f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240566578.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240566578.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240566625.exe

Filesize
609KB

MD5
cf4bdd24c723907a4f0737d9b13d5ae0

SHA1
bc4971c34e809dc738351d77f5d7562f760f97d4

SHA256
7028f384a35a792a9413015f73fb39b9961aa60205c5479131345b1c7e5ffb41

SHA512
15528035bc7c483a3999dca3551b3718bbd9d99975ac6b5684549e7a2aab57a199f526556aa1263f3aa865ce56efd2c2cb533365690d187a044d2da264aa0833

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240566625.exe

Filesize
609KB

MD5
cf4bdd24c723907a4f0737d9b13d5ae0

SHA1
bc4971c34e809dc738351d77f5d7562f760f97d4

SHA256
7028f384a35a792a9413015f73fb39b9961aa60205c5479131345b1c7e5ffb41

SHA512
15528035bc7c483a3999dca3551b3718bbd9d99975ac6b5684549e7a2aab57a199f526556aa1263f3aa865ce56efd2c2cb533365690d187a044d2da264aa0833

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240566750.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240566750.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240566812.exe

Filesize
561KB

MD5
ba24d587387b8f54a2d4011dafc0dee2

SHA1
6740995b61a067abf692236bad9d0becc692c02d

SHA256
16c1a496517072b2b703ae82dea87033a5b9b0946f25421320a7d8ac2979e88c

SHA512
9be2666282307c96b38ee7b7287a05bf4ad835c632c78b7a5b4b419f853af97c3be4601c731b55e49541d17e0cdd88848d1a8803f0710479655b094bc99ba34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240566812.exe

Filesize
561KB

MD5
ba24d587387b8f54a2d4011dafc0dee2

SHA1
6740995b61a067abf692236bad9d0becc692c02d

SHA256
16c1a496517072b2b703ae82dea87033a5b9b0946f25421320a7d8ac2979e88c

SHA512
9be2666282307c96b38ee7b7287a05bf4ad835c632c78b7a5b4b419f853af97c3be4601c731b55e49541d17e0cdd88848d1a8803f0710479655b094bc99ba34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240566875.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240566875.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240566890.exe

Filesize
514KB

MD5
262478dcedf147c0a41de81a5dcf62ce

SHA1
e69128d35ccad410919e1ecdeb26305d13685253

SHA256
650cd131ecd7f69c59543de853dc6f227b1051c976d1010f705126c874f9d06b

SHA512
01a6960be5bae2398e20abea066fe7b1c4646d3483b0640c71ebab240396d98264db31afc8a31052f6aaac19fcb9ab08c9c428954b1ae7ca4c3f11f50ee6895e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240566890.exe

Filesize
514KB

MD5
262478dcedf147c0a41de81a5dcf62ce

SHA1
e69128d35ccad410919e1ecdeb26305d13685253

SHA256
650cd131ecd7f69c59543de853dc6f227b1051c976d1010f705126c874f9d06b

SHA512
01a6960be5bae2398e20abea066fe7b1c4646d3483b0640c71ebab240396d98264db31afc8a31052f6aaac19fcb9ab08c9c428954b1ae7ca4c3f11f50ee6895e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240566984.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240566984.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240567015.exe

Filesize
467KB

MD5
5470afc02206d7a4e2434d584e5b6811

SHA1
fe63a1b1e07e76cf63a3cdd596a0d45b671e1d7c

SHA256
12f1410bc1a0f8bce5a239207e7ccacda946ae7b65a8140dc227ff3273b76139

SHA512
7f0d9140ab67699c4f96bc03384eccfbe821d48fb9b7c37273de779d3a1ac50f35a08bc13feb3b131c0f8eff77888e4ae1cead19b4766e98e3c9ddfb1cb15cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240567015.exe

Filesize
467KB

MD5
5470afc02206d7a4e2434d584e5b6811

SHA1
fe63a1b1e07e76cf63a3cdd596a0d45b671e1d7c

SHA256
12f1410bc1a0f8bce5a239207e7ccacda946ae7b65a8140dc227ff3273b76139

SHA512
7f0d9140ab67699c4f96bc03384eccfbe821d48fb9b7c37273de779d3a1ac50f35a08bc13feb3b131c0f8eff77888e4ae1cead19b4766e98e3c9ddfb1cb15cfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240567609.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240567609.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240567625.exe

Filesize
419KB

MD5
31bf70062d5173340bf055c900d02ffc

SHA1
f1754a2a48552c722da99880bb56a162a646fe7d

SHA256
98243fe363bae47f131346ba3b7e0682fd664dbe4a5606c4087b34342a8ea191

SHA512
646d5e1178b3e5c16b01958e9a30d25f41e12dbf97b16687fa3a1c456b3b3a63e34442e10eaf038e59b005e8b40e0e67f495ecd4c65db2785e8345c6e16421ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240567625.exe

Filesize
419KB

MD5
31bf70062d5173340bf055c900d02ffc

SHA1
f1754a2a48552c722da99880bb56a162a646fe7d

SHA256
98243fe363bae47f131346ba3b7e0682fd664dbe4a5606c4087b34342a8ea191

SHA512
646d5e1178b3e5c16b01958e9a30d25f41e12dbf97b16687fa3a1c456b3b3a63e34442e10eaf038e59b005e8b40e0e67f495ecd4c65db2785e8345c6e16421ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240567750.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240567750.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240567781.exe

Filesize
372KB

MD5
144ecc559ce0c4eb1d6dd0531d89c624

SHA1
7b3a04f19c62fcebbb5b8cfd11a955228d801013

SHA256
21f69a2a17e5bfde09bdf017d91d3e3eb7dbc94560e65d906250ca767404cebc

SHA512
6e88973997cce436ec1faccc467ace55aa6dc52936b9e360ec4da4d30ce619877951ad4b64fa3bcd75cae300c062455c1643a7aa79ae5e726a0ea5cf2c3c72b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240567781.exe

Filesize
372KB

MD5
144ecc559ce0c4eb1d6dd0531d89c624

SHA1
7b3a04f19c62fcebbb5b8cfd11a955228d801013

SHA256
21f69a2a17e5bfde09bdf017d91d3e3eb7dbc94560e65d906250ca767404cebc

SHA512
6e88973997cce436ec1faccc467ace55aa6dc52936b9e360ec4da4d30ce619877951ad4b64fa3bcd75cae300c062455c1643a7aa79ae5e726a0ea5cf2c3c72b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568453.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568453.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568531.exe

Filesize
325KB

MD5
d37ec0fdeef202eb12b94f68238a8fd2

SHA1
ee6ecc7555ed283789bb23f86b22b815e6c61365

SHA256
9fd11613907f5b894065d35a9336c4502c3df49b3de6129638b3cdb198ac0d8e

SHA512
f0e46ef6b1a5ddc4ae2a6442eba1ea336d018cd26deb99761ebf198ebbacaa745e9f718338a548b6bab4b975aee1c120edc811d8ed04000476b4099d78a7002b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568531.exe

Filesize
325KB

MD5
d37ec0fdeef202eb12b94f68238a8fd2

SHA1
ee6ecc7555ed283789bb23f86b22b815e6c61365

SHA256
9fd11613907f5b894065d35a9336c4502c3df49b3de6129638b3cdb198ac0d8e

SHA512
f0e46ef6b1a5ddc4ae2a6442eba1ea336d018cd26deb99761ebf198ebbacaa745e9f718338a548b6bab4b975aee1c120edc811d8ed04000476b4099d78a7002b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568609.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568609.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568640.exe

Filesize
277KB

MD5
f84dde9edbf0ca0e15062173ad06b436

SHA1
6955c2ee84aa4891c1d97843ed419fce5bc37fb9

SHA256
17d92c5aed3087f4efdbfd7be5fff6813eafef722a54d4ae55d3ae704105d613

SHA512
5cba6da101d628ce7d522463a8c036731d770dc3ae3c0324ff2488d47258c28e980c08143f79c237bd5b572fa0cd3a7c25c0b5d0c0e3fcb8b6711582f31b2895

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568640.exe

Filesize
277KB

MD5
f84dde9edbf0ca0e15062173ad06b436

SHA1
6955c2ee84aa4891c1d97843ed419fce5bc37fb9

SHA256
17d92c5aed3087f4efdbfd7be5fff6813eafef722a54d4ae55d3ae704105d613

SHA512
5cba6da101d628ce7d522463a8c036731d770dc3ae3c0324ff2488d47258c28e980c08143f79c237bd5b572fa0cd3a7c25c0b5d0c0e3fcb8b6711582f31b2895

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568703.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568703.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568750.exe

Filesize
230KB

MD5
8d040b882181876135babbf94885544a

SHA1
63ebc837b9aa445cd709c06246fb23e2508b9f4c

SHA256
3236264652f5d0e90f9d2c4a5ff6f36448832be336e6a1ace38a6bda741c5730

SHA512
0bb41a409a7b3e036cc30793839b7540a4807e091d5970d059d283f0721c4a5710cce220cc9e43d406b1efab3be7af9be38a6711d0740706003d639fcef5439b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568750.exe

Filesize
230KB

MD5
8d040b882181876135babbf94885544a

SHA1
63ebc837b9aa445cd709c06246fb23e2508b9f4c

SHA256
3236264652f5d0e90f9d2c4a5ff6f36448832be336e6a1ace38a6bda741c5730

SHA512
0bb41a409a7b3e036cc30793839b7540a4807e091d5970d059d283f0721c4a5710cce220cc9e43d406b1efab3be7af9be38a6711d0740706003d639fcef5439b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568843.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568843.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568859.exe

Filesize
183KB

MD5
619ca9513f8fed49817d89e5c1573194

SHA1
2f70c289b7290ce1150d09ce7adf4ba3cd3517fd

SHA256
0041051fff856f640769e4391a1a7195d8110c4bd5bc8bc190c84d304e1c2a11

SHA512
dd6de48f13575aca8bd17a59954042a46c4cacbf23197de5398f50a58fe6408985bc28917cac56cf100219b193489a805e6a73f04df6f7ceede1174fa1e06a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568859.exe

Filesize
183KB

MD5
619ca9513f8fed49817d89e5c1573194

SHA1
2f70c289b7290ce1150d09ce7adf4ba3cd3517fd

SHA256
0041051fff856f640769e4391a1a7195d8110c4bd5bc8bc190c84d304e1c2a11

SHA512
dd6de48f13575aca8bd17a59954042a46c4cacbf23197de5398f50a58fe6408985bc28917cac56cf100219b193489a805e6a73f04df6f7ceede1174fa1e06a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568937.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568937.exe

Filesize
36KB

MD5
805fd59210bce057a51ffff3f624c75e

SHA1
2c1a601817ba7b5a6f2d771761894687ef371a27

SHA256
c73e85e0b2de80fd187879b8704f46e976aa1e61507b8a469bdf826d2b36c09d

SHA512
338539acd5c032b8e3b30b9ba49e994fae3a2e487e8824259b98579963ebb0d89c46692e531095b1e80299a7e492b14e22ef185ac0da4a6c5fa6b1b85fa6ca1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568953.exe

Filesize
136KB

MD5
2fa928752c8a0fe0bf7f1acb1900ef35

SHA1
9bb710592348768e58387002ebbe34d02a17a7cc

SHA256
824cf45d3c78aa9e6b019d1a5ede46f27bd9418115c6098a016788159ceaae78

SHA512
a3306863137a6d6985ee558f4ff2ccb84a1dda74cb3c5aaf24a99184e0508564671bc5a7089342d3ac41083f923f4c525b23bf59045e896da93fd47ef76ee233

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240568953.exe

Filesize
136KB

MD5
2fa928752c8a0fe0bf7f1acb1900ef35

SHA1
9bb710592348768e58387002ebbe34d02a17a7cc

SHA256
824cf45d3c78aa9e6b019d1a5ede46f27bd9418115c6098a016788159ceaae78

SHA512
a3306863137a6d6985ee558f4ff2ccb84a1dda74cb3c5aaf24a99184e0508564671bc5a7089342d3ac41083f923f4c525b23bf59045e896da93fd47ef76ee233

Download Submit
memory/220-190-0x0000000000000000-mapping.dmp

Download
memory/408-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/568-162-0x0000000000000000-mapping.dmp

Download
memory/644-268-0x0000000000000000-mapping.dmp

Download
memory/984-132-0x0000000000000000-mapping.dmp

Download
memory/1020-261-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1020-258-0x0000000000000000-mapping.dmp

Download
memory/1196-193-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1196-196-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1196-186-0x0000000000000000-mapping.dmp

Download
memory/1252-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1356-260-0x0000000000000000-mapping.dmp

Download
memory/1364-251-0x0000000000000000-mapping.dmp

Download
memory/1452-169-0x0000000000000000-mapping.dmp

Download
memory/1516-283-0x0000000000000000-mapping.dmp

Download
memory/1564-208-0x0000000000000000-mapping.dmp

Download
memory/1564-210-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1564-220-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1572-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1736-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1736-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1772-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1772-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1780-146-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1780-135-0x0000000000000000-mapping.dmp

Download
memory/1780-139-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1832-231-0x0000000000000000-mapping.dmp

Download
memory/1832-240-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1868-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1868-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1868-285-0x0000000000000000-mapping.dmp

Download
memory/1912-250-0x0000000000000000-mapping.dmp

Download
memory/1912-253-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1952-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1952-262-0x0000000000000000-mapping.dmp

Download
memory/2088-176-0x0000000000000000-mapping.dmp

Download
memory/2120-264-0x0000000000000000-mapping.dmp

Download
memory/2120-269-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2196-235-0x0000000000000000-mapping.dmp

Download
memory/2200-295-0x0000000000000000-mapping.dmp

Download
memory/2200-158-0x0000000000000000-mapping.dmp

Download
memory/2200-168-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2248-263-0x0000000000000000-mapping.dmp

Download
memory/2364-221-0x0000000000000000-mapping.dmp

Download
memory/2388-287-0x0000000000000000-mapping.dmp

Download
memory/2464-278-0x0000000000000000-mapping.dmp

Download
memory/2640-275-0x0000000000000000-mapping.dmp

Download
memory/2660-266-0x0000000000000000-mapping.dmp

Download
memory/2688-256-0x0000000000000000-mapping.dmp

Download
memory/2732-198-0x0000000000000000-mapping.dmp

Download
memory/2796-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2796-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2796-270-0x0000000000000000-mapping.dmp

Download
memory/3032-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3192-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3388-265-0x0000000000000000-mapping.dmp

Download
memory/3424-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3424-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3460-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3484-224-0x0000000000000000-mapping.dmp

Download
memory/3484-234-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3508-205-0x0000000000000000-mapping.dmp

Download
memory/3568-254-0x0000000000000000-mapping.dmp

Download
memory/3568-257-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3632-228-0x0000000000000000-mapping.dmp

Download
memory/3732-201-0x0000000000000000-mapping.dmp

Download
memory/3732-211-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3732-212-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3736-242-0x0000000000000000-mapping.dmp

Download
memory/3748-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3776-137-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3884-238-0x0000000000000000-mapping.dmp

Download
memory/3884-247-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3920-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3920-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3964-284-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3964-281-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3964-280-0x0000000000000000-mapping.dmp

Download
memory/4184-174-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4184-165-0x0000000000000000-mapping.dmp

Download
memory/4196-303-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4224-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4224-273-0x0000000000000000-mapping.dmp

Download
memory/4224-279-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4268-214-0x0000000000000000-mapping.dmp

Download
memory/4292-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4292-294-0x0000000000000000-mapping.dmp

Download
memory/4296-255-0x0000000000000000-mapping.dmp

Download
memory/4356-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4388-179-0x0000000000000000-mapping.dmp

Download
memory/4388-189-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4460-227-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4460-217-0x0000000000000000-mapping.dmp

Download
memory/4468-271-0x0000000000000000-mapping.dmp

Download
memory/4504-154-0x0000000000000000-mapping.dmp

Download
memory/4556-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4640-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4640-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4680-140-0x0000000000000000-mapping.dmp

Download
memory/4692-282-0x0000000000000000-mapping.dmp

Download
memory/4700-181-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4700-172-0x0000000000000000-mapping.dmp

Download
memory/4736-259-0x0000000000000000-mapping.dmp

Download
memory/4764-292-0x0000000000000000-mapping.dmp

Download
memory/4772-291-0x0000000000000000-mapping.dmp

Download
memory/4804-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4824-147-0x0000000000000000-mapping.dmp

Download
memory/4848-288-0x0000000000000000-mapping.dmp

Download
memory/4852-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4872-161-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4872-157-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4872-150-0x0000000000000000-mapping.dmp

Download
memory/4896-274-0x0000000000000000-mapping.dmp

Download
memory/4908-143-0x0000000000000000-mapping.dmp

Download
memory/4908-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4908-152-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4908-289-0x0000000000000000-mapping.dmp

Download
memory/4920-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4988-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5004-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5004-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5020-249-0x0000000000010000-0x0000000000032000-memory.dmp

Filesize
136KB

Download
memory/5020-245-0x0000000000000000-mapping.dmp

Download
memory/5036-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5036-194-0x0000000000000000-mapping.dmp

Download
memory/5036-203-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5048-252-0x0000000000000000-mapping.dmp

Download
memory/5116-183-0x0000000000000000-mapping.dmp

Download