6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

Analysis

max time kernel
146s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29/10/2022, 16:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec.exe
Size

269KB
MD5

52c30e5069632251e223731b54da4000
SHA1

d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd
SHA256

6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec
SHA512

b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5
SSDEEP

6144:oftdcNdPYNSDyDIkFthptNSDyDIkFthphNSDyDRO1thp:bdPcSDyTFtjXSDyTFtjrSDyo1tj

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2084	notpad.exe
4580	tmp240551953.exe
4808	tmp240551984.exe
4788	notpad.exe
4972	tmp240552312.exe
4684	tmp240552359.exe
4264	notpad.exe
4188	tmp240552593.exe
4344	tmp240552671.exe
724	notpad.exe
4088	tmp240552937.exe
3640	tmp240552968.exe
2088	notpad.exe
2812	tmp240553906.exe
224	notpad.exe
4548	tmp240554000.exe
2388	tmp240554234.exe
3032	tmp240554375.exe
3752	notpad.exe
3528	tmp240554656.exe
3512	tmp240554734.exe
1544	notpad.exe
4068	tmp240555031.exe
2156	tmp240555265.exe
3496	notpad.exe
3120	tmp240555578.exe
4884	tmp240555640.exe
3148	notpad.exe
2936	tmp240555843.exe
4912	tmp240555984.exe
2404	notpad.exe
2768	tmp240556250.exe
4440	tmp240556281.exe
4152	notpad.exe
3336	tmp240556484.exe
5000	tmp240556515.exe
2868	notpad.exe
2072	tmp240556718.exe
3488	tmp240556750.exe
1280	notpad.exe
4860	tmp240556968.exe
1892	tmp240557000.exe
1624	notpad.exe
2116	tmp240557203.exe
2392	tmp240557234.exe
3400	notpad.exe
1592	tmp240557437.exe
4568	tmp240557468.exe
3000	notpad.exe
3620	tmp240557671.exe
3152	tmp240557703.exe
2976	notpad.exe
3668	tmp240557937.exe
2128	tmp240557953.exe
2096	notpad.exe
4680	tmp240558187.exe
1912	tmp240558218.exe
4720	notpad.exe
4668	tmp240558390.exe
1224	tmp240558421.exe
892	notpad.exe
4184	tmp240558671.exe
4520	tmp240558687.exe
2080	notpad.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000300000001e6e8-133.dat	upx
behavioral2/files/0x000300000001e6e8-134.dat	upx
behavioral2/memory/2084-135-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000700000001e590-140.dat	upx
behavioral2/memory/2084-143-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000300000001e6e8-145.dat	upx
behavioral2/files/0x000700000001e590-150.dat	upx
behavioral2/memory/4788-153-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000300000001e6e8-155.dat	upx
behavioral2/files/0x000700000001e590-160.dat	upx
behavioral2/memory/4264-163-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000300000001e6e8-165.dat	upx
behavioral2/files/0x000700000001e590-170.dat	upx
behavioral2/memory/724-169-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/724-174-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000300000001e6e8-176.dat	upx
behavioral2/memory/2088-182-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000700000001e590-180.dat	upx
behavioral2/files/0x000300000001e6e8-184.dat	upx
behavioral2/memory/2088-187-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/224-195-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000700000001e590-192.dat	upx
behavioral2/files/0x000300000001e6e8-197.dat	upx
behavioral2/memory/3752-205-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000700000001e590-201.dat	upx
behavioral2/files/0x000300000001e6e8-207.dat	upx
behavioral2/memory/1544-208-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000700000001e590-213.dat	upx
behavioral2/memory/1544-216-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000300000001e6e8-218.dat	upx
behavioral2/files/0x000700000001e590-224.dat	upx
behavioral2/memory/3496-226-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000300000001e6e8-228.dat	upx
behavioral2/files/0x000700000001e590-233.dat	upx
behavioral2/memory/3148-236-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000300000001e6e8-238.dat	upx
behavioral2/memory/2404-243-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4152-247-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2868-251-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1280-255-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1280-257-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1624-260-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3400-264-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3000-268-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2976-272-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2096-274-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2096-277-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4720-281-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/892-285-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2080-287-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2252-288-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4880-289-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1148-290-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/896-291-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2644-292-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3656-293-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3656-294-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/512-295-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4244-296-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/368-297-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4244-298-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/368-299-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3700-300-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4920-301-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240677718.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240678531.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240680421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240570296.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240573015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240589234.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240668937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	notpad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240589000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240601046.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240604531.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240677906.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240558671.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240573218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240679906.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240592375.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240603875.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240556484.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240599750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240603203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240676515.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240552312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240598671.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240642265.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240557937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240572312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240677750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240574046.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240669187.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240670203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240678015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240556968.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240588093.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240669937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240678312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240557203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240655000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240672250.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240677015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240570578.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240589437.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240605312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240633734.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240677234.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240552593.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240646218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240670750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240671578.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240681890.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240559546.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240559765.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240670546.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240592046.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240597171.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240643515.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	tmp240671968.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240571187.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240647062.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240680421.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240560656.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240570296.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240571406.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240587890.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240676093.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240680421.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240558671.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240558890.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240569375.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240604531.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240646218.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240679906.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	Process not Found
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240556484.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240572312.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240589984.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240589609.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240597171.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240605890.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240671968.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240679515.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240572546.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240573218.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240669578.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240679703.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240556250.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240556718.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240598906.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240681593.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240679703.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	Process not Found
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240559546.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240573609.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240589437.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240647062.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240679296.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	Process not Found
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240591609.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240603875.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240649984.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240671578.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240573015.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240602437.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240677234.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240551953.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240557937.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240589234.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240600562.exe
File created	C:\Windows\SysWOW64\notpad.exe-	Process not Found
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240675875.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240555843.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240556968.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	Process not Found
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240588312.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240600312.exe
File created	C:\Windows\SysWOW64\notpad.exe	Process not Found
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240552937.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240592046.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240679296.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240679515.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240681890.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240675359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240675875.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240679906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240552312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240597171.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240633734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240669187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240681593.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240557437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240559953.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240589000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240677718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240551953.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240559109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240574046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240603203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240603875.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240676093.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240677234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240556718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240557203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240560187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240559765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240649312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240649484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240670546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240671578.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240558890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240599750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240599984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240646734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240677750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240676515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240555578.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240572546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240591609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240589984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240604531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240605312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240680593.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240655000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240672515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240556250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240570140.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240605890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240675671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240572796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240588093.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240588312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240570578.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240590406.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240645625.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240555843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240556484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240558671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240589234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240649984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240609046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240643515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240677015.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 2084	3444	6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec.exe	80
PID 3444 wrote to memory of 2084	3444	6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec.exe	80
PID 3444 wrote to memory of 2084	3444	6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec.exe	80
PID 2084 wrote to memory of 4580	2084	notpad.exe	81
PID 2084 wrote to memory of 4580	2084	notpad.exe	81
PID 2084 wrote to memory of 4580	2084	notpad.exe	81
PID 2084 wrote to memory of 4808	2084	notpad.exe	82
PID 2084 wrote to memory of 4808	2084	notpad.exe	82
PID 2084 wrote to memory of 4808	2084	notpad.exe	82
PID 4580 wrote to memory of 4788	4580	tmp240551953.exe	83
PID 4580 wrote to memory of 4788	4580	tmp240551953.exe	83
PID 4580 wrote to memory of 4788	4580	tmp240551953.exe	83
PID 4788 wrote to memory of 4972	4788	notpad.exe	84
PID 4788 wrote to memory of 4972	4788	notpad.exe	84
PID 4788 wrote to memory of 4972	4788	notpad.exe	84
PID 4788 wrote to memory of 4684	4788	notpad.exe	85
PID 4788 wrote to memory of 4684	4788	notpad.exe	85
PID 4788 wrote to memory of 4684	4788	notpad.exe	85
PID 4972 wrote to memory of 4264	4972	tmp240552312.exe	86
PID 4972 wrote to memory of 4264	4972	tmp240552312.exe	86
PID 4972 wrote to memory of 4264	4972	tmp240552312.exe	86
PID 4264 wrote to memory of 4188	4264	notpad.exe	87
PID 4264 wrote to memory of 4188	4264	notpad.exe	87
PID 4264 wrote to memory of 4188	4264	notpad.exe	87
PID 4264 wrote to memory of 4344	4264	notpad.exe	88
PID 4264 wrote to memory of 4344	4264	notpad.exe	88
PID 4264 wrote to memory of 4344	4264	notpad.exe	88
PID 4188 wrote to memory of 724	4188	tmp240552593.exe	89
PID 4188 wrote to memory of 724	4188	tmp240552593.exe	89
PID 4188 wrote to memory of 724	4188	tmp240552593.exe	89
PID 724 wrote to memory of 4088	724	notpad.exe	90
PID 724 wrote to memory of 4088	724	notpad.exe	90
PID 724 wrote to memory of 4088	724	notpad.exe	90
PID 724 wrote to memory of 3640	724	notpad.exe	91
PID 724 wrote to memory of 3640	724	notpad.exe	91
PID 724 wrote to memory of 3640	724	notpad.exe	91
PID 4088 wrote to memory of 2088	4088	tmp240552937.exe	92
PID 4088 wrote to memory of 2088	4088	tmp240552937.exe	92
PID 4088 wrote to memory of 2088	4088	tmp240552937.exe	92
PID 2088 wrote to memory of 2812	2088	notpad.exe	93
PID 2088 wrote to memory of 2812	2088	notpad.exe	93
PID 2088 wrote to memory of 2812	2088	notpad.exe	93
PID 2812 wrote to memory of 224	2812	tmp240553906.exe	94
PID 2812 wrote to memory of 224	2812	tmp240553906.exe	94
PID 2812 wrote to memory of 224	2812	tmp240553906.exe	94
PID 2088 wrote to memory of 4548	2088	notpad.exe	95
PID 2088 wrote to memory of 4548	2088	notpad.exe	95
PID 2088 wrote to memory of 4548	2088	notpad.exe	95
PID 224 wrote to memory of 2388	224	notpad.exe	96
PID 224 wrote to memory of 2388	224	notpad.exe	96
PID 224 wrote to memory of 2388	224	notpad.exe	96
PID 224 wrote to memory of 3032	224	notpad.exe	97
PID 224 wrote to memory of 3032	224	notpad.exe	97
PID 224 wrote to memory of 3032	224	notpad.exe	97
PID 2388 wrote to memory of 3752	2388	tmp240554234.exe	98
PID 2388 wrote to memory of 3752	2388	tmp240554234.exe	98
PID 2388 wrote to memory of 3752	2388	tmp240554234.exe	98
PID 3752 wrote to memory of 3528	3752	notpad.exe	99
PID 3752 wrote to memory of 3528	3752	notpad.exe	99
PID 3752 wrote to memory of 3528	3752	notpad.exe	99
PID 3752 wrote to memory of 3512	3752	notpad.exe	100
PID 3752 wrote to memory of 3512	3752	notpad.exe	100
PID 3752 wrote to memory of 3512	3752	notpad.exe	100
PID 3528 wrote to memory of 1544	3528	tmp240554656.exe	101

C:\Users\Admin\AppData\Local\Temp\6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec.exe
"C:\Users\Admin\AppData\Local\Temp\6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Users\Admin\AppData\Local\Temp\tmp240551953.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240551953.exe
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4580
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4788
    - - C:\Users\Admin\AppData\Local\Temp\tmp240552312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240552312.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4972
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240552593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240552593.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4188
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240552937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240552937.exe
        9⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4088
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240553906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240553906.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240554234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240554234.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240554656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240554656.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        Executes dropped EXE
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555031.exe
        17⤵
        Executes dropped EXE
        
        PID:4068
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        Executes dropped EXE
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555578.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3120
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        Executes dropped EXE
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555843.exe
        21⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2936
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        Executes dropped EXE
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556250.exe
        23⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        Executes dropped EXE
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556484.exe
        25⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        Executes dropped EXE
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556718.exe
        27⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2072
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        Executes dropped EXE
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556968.exe
        29⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4860
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        Executes dropped EXE
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557203.exe
        31⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:2116
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        Executes dropped EXE
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557437.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1592
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557671.exe
        35⤵
        Executes dropped EXE
        
        PID:3620
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        Executes dropped EXE
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557937.exe
        37⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        38⤵
        Executes dropped EXE
        
        PID:2096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558187.exe
        39⤵
        Executes dropped EXE
        
        PID:4680
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        40⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558390.exe
        41⤵
        Executes dropped EXE
        
        PID:4668
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        Executes dropped EXE
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558671.exe
        43⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4184
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        44⤵
        Executes dropped EXE
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558890.exe
        45⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4564
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        46⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559109.exe
        47⤵
        Modifies registry class
        
        PID:2596
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        48⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559328.exe
        49⤵
        
        PID:1772
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        50⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559546.exe
        51⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:208
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        52⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559765.exe
        53⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2812
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559953.exe
        55⤵
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        56⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560187.exe
        57⤵
        Modifies registry class
        
        PID:3836
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560406.exe
        59⤵
        
        PID:1572
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        60⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560656.exe
        61⤵
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        62⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240565906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240565906.exe
        63⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        64⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240568640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240568640.exe
        65⤵
        
        PID:5044
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        66⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240569375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240569375.exe
        67⤵
        Drops file in System32 directory
        
        PID:1184
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        68⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570140.exe
        69⤵
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        70⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570296.exe
        71⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3844
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        72⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570578.exe
        73⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1608
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        74⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240571187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240571187.exe
        75⤵
        Drops file in System32 directory
        
        PID:5092
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        76⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240571359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240571359.exe
        77⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        78⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240571671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240571671.exe
        79⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572171.exe
        79⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572218.exe
        80⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572250.exe
        80⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240571375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240571375.exe
        77⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240571406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240571406.exe
        78⤵
        Drops file in System32 directory
        
        PID:3480
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        79⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572312.exe
        80⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4748
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        81⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572546.exe
        82⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        83⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572796.exe
        84⤵
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        85⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573015.exe
        86⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:936
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        87⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573218.exe
        88⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2808
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        89⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573609.exe
        90⤵
        Drops file in System32 directory
        
        PID:896
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        91⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573828.exe
        92⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        93⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240574046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240574046.exe
        94⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3096
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        95⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587406.exe
        96⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        97⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587890.exe
        98⤵
        Drops file in System32 directory
        
        PID:4064
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        99⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588093.exe
        100⤵
        Checks computer location settings
        Modifies registry class
        
        PID:384
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        101⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588312.exe
        102⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3652
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        103⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588718.exe
        104⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        105⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589000.exe
        106⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1488
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        107⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589234.exe
        108⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4312
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        109⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589531.exe
        110⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589609.exe
        110⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589250.exe
        108⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589281.exe
        109⤵
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589343.exe
        109⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589437.exe
        110⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4692
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        111⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589468.exe
        110⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589515.exe
        111⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589578.exe
        111⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589156.exe
        106⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589187.exe
        107⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589218.exe
        107⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589484.exe
        108⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589500.exe
        108⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589609.exe
        109⤵
        Drops file in System32 directory
        
        PID:2436
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        110⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589984.exe
        111⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:320
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        112⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590421.exe
        113⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590484.exe
        113⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590531.exe
        114⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590546.exe
        114⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590578.exe
        115⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590593.exe
        115⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590640.exe
        116⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590656.exe
        116⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590234.exe
        111⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590265.exe
        112⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590296.exe
        112⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590343.exe
        113⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590375.exe
        113⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590406.exe
        114⤵
        Modifies registry class
        
        PID:2944
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        115⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590625.exe
        116⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        117⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591390.exe
        118⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        119⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591625.exe
        120⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591968.exe
        120⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592000.exe
        121⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592015.exe
        121⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592046.exe
        122⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3936
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        123⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592375.exe
        124⤵
        Checks computer location settings
        
        PID:856
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        125⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597171.exe
        126⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        127⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597734.exe
        128⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597781.exe
        128⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598359.exe
        129⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598468.exe
        129⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598531.exe
        130⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598578.exe
        130⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598718.exe
        131⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598734.exe
        131⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597328.exe
        126⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597468.exe
        127⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597562.exe
        127⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597656.exe
        128⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597687.exe
        128⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597796.exe
        129⤵
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598328.exe
        129⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596906.exe
        124⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597375.exe
        125⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597437.exe
        125⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597531.exe
        126⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597578.exe
        126⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597765.exe
        127⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597812.exe
        127⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592125.exe
        122⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592156.exe
        123⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592171.exe
        123⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591421.exe
        118⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591468.exe
        119⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591484.exe
        119⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591562.exe
        120⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591578.exe
        120⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591609.exe
        121⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        122⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592187.exe
        123⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596921.exe
        123⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597296.exe
        124⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597343.exe
        124⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597484.exe
        125⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597515.exe
        125⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597609.exe
        126⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        127⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598437.exe
        128⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        129⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598828.exe
        130⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598859.exe
        130⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598937.exe
        131⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599031.exe
        131⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599125.exe
        132⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599156.exe
        132⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599218.exe
        133⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        134⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599484.exe
        135⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599546.exe
        135⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599718.exe
        136⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599734.exe
        136⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599812.exe
        137⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599843.exe
        137⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599890.exe
        138⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599937.exe
        138⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599234.exe
        133⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598500.exe
        128⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598546.exe
        129⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598609.exe
        129⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598671.exe
        130⤵
        Checks computer location settings
        
        PID:3512
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        131⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598906.exe
        132⤵
        Drops file in System32 directory
        
        PID:1544
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        133⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599265.exe
        134⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599375.exe
        134⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599390.exe
        135⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599437.exe
        135⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599500.exe
        136⤵
        
        PID:384
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        137⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599750.exe
        138⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1064
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        139⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600031.exe
        140⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600078.exe
        140⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600187.exe
        141⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600250.exe
        141⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600359.exe
        142⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600375.exe
        142⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600406.exe
        143⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600421.exe
        143⤵
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599828.exe
        138⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599875.exe
        139⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599906.exe
        139⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599984.exe
        140⤵
        Modifies registry class
        
        PID:3932
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        141⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600312.exe
        142⤵
        Drops file in System32 directory
        
        PID:4796
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        143⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600562.exe
        144⤵
        Drops file in System32 directory
        
        PID:400
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        145⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600890.exe
        146⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        147⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601093.exe
        148⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602578.exe
        148⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602906.exe
        149⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603453.exe
        149⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603906.exe
        150⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604312.exe
        150⤵
        
        PID:360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605656.exe
        151⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605406.exe
        151⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600937.exe
        146⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601046.exe
        147⤵
        Checks computer location settings
        
        PID:2860
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        148⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602437.exe
        149⤵
        Drops file in System32 directory
        
        PID:1248
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        150⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603234.exe
        151⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603500.exe
        151⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604296.exe
        152⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604656.exe
        153⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605078.exe
        153⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605156.exe
        154⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605328.exe
        154⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602812.exe
        149⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603203.exe
        150⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        151⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604343.exe
        152⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668515.exe
        153⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        154⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668953.exe
        155⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669062.exe
        155⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669140.exe
        156⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669265.exe
        156⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669625.exe
        157⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669703.exe
        157⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669765.exe
        158⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670062.exe
        158⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604421.exe
        152⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605062.exe
        153⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605109.exe
        153⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605312.exe
        154⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        155⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605890.exe
        156⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4188
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        157⤵
        
        PID:3696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609046.exe
        158⤵
        Modifies registry class
        
        PID:4244
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        159⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620453.exe
        160⤵
        
        PID:4240
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        161⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641500.exe
        162⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641656.exe
        162⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642718.exe
        163⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643484.exe
        163⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644046.exe
        164⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644515.exe
        164⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645000.exe
        165⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645984.exe
        165⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628578.exe
        160⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633734.exe
        161⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        162⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642437.exe
        163⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641609.exe
        161⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642265.exe
        162⤵
        Checks computer location settings
        
        PID:1020
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        163⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643703.exe
        164⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644062.exe
        164⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644484.exe
        165⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645078.exe
        165⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645671.exe
        166⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646031.exe
        166⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646265.exe
        167⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646296.exe
        167⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643046.exe
        162⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643515.exe
        163⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1428
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        164⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645625.exe
        165⤵
        Modifies registry class
        
        PID:4568
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        166⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646359.exe
        167⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646468.exe
        167⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646921.exe
        168⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646953.exe
        168⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647062.exe
        169⤵
        Drops file in System32 directory
        
        PID:5036
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        170⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648218.exe
        171⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        172⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649312.exe
        173⤵
        Modifies registry class
        
        PID:3768
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        174⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649656.exe
        175⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649875.exe
        175⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650312.exe
        176⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663734.exe
        176⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668203.exe
        177⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668468.exe
        177⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668578.exe
        178⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668640.exe
        178⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649515.exe
        173⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649796.exe
        174⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649890.exe
        174⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650281.exe
        175⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        176⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663718.exe
        177⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668453.exe
        177⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668765.exe
        178⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668875.exe
        179⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668921.exe
        179⤵
        
        PID:360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668937.exe
        180⤵
        Checks computer location settings
        
        PID:1560
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        181⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669531.exe
        182⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669546.exe
        182⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669578.exe
        183⤵
        Drops file in System32 directory
        
        PID:908
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        184⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669937.exe
        185⤵
        Checks computer location settings
        
        PID:3720
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        186⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670281.exe
        187⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670593.exe
        187⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670640.exe
        188⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670687.exe
        188⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670750.exe
        189⤵
        Checks computer location settings
        
        PID:2460
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        190⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671218.exe
        191⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671328.exe
        191⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671421.exe
        192⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671531.exe
        192⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671625.exe
        193⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671734.exe
        193⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671875.exe
        194⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672000.exe
        194⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670812.exe
        189⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670890.exe
        190⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671015.exe
        190⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670046.exe
        185⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670203.exe
        186⤵
        Checks computer location settings
        
        PID:3196
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        187⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670703.exe
        188⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670968.exe
        188⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671093.exe
        189⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671156.exe
        189⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671281.exe
        190⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671343.exe
        190⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671468.exe
        191⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671500.exe
        191⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670265.exe
        186⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670515.exe
        187⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670625.exe
        187⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670718.exe
        188⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670671.exe
        188⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669593.exe
        183⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669640.exe
        184⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669656.exe
        184⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669875.exe
        185⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669921.exe
        185⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668968.exe
        180⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651687.exe
        175⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654984.exe
        176⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663796.exe
        176⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648562.exe
        171⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649046.exe
        172⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649078.exe
        172⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649468.exe
        173⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649859.exe
        173⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650296.exe
        174⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663750.exe
        174⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647625.exe
        169⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648531.exe
        170⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648625.exe
        170⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645953.exe
        165⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646000.exe
        166⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646140.exe
        166⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646218.exe
        167⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1472
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        168⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646734.exe
        169⤵
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        170⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647140.exe
        171⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647687.exe
        171⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648187.exe
        172⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648546.exe
        172⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649000.exe
        173⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649140.exe
        173⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649484.exe
        174⤵
        Modifies registry class
        
        PID:1948
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        175⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649984.exe
        176⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        177⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650375.exe
        178⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659484.exe
        178⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663781.exe
        179⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668703.exe
        179⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668828.exe
        180⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669156.exe
        180⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669187.exe
        181⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4412
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        182⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669671.exe
        183⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669843.exe
        183⤵
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670015.exe
        184⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670125.exe
        184⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670250.exe
        185⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670484.exe
        185⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670546.exe
        186⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2188
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        187⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670781.exe
        188⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670859.exe
        188⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670984.exe
        189⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671203.exe
        190⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        191⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671406.exe
        192⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        193⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671718.exe
        194⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671843.exe
        195⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671890.exe
        195⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672015.exe
        196⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672093.exe
        196⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672203.exe
        197⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672593.exe
        197⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671656.exe
        194⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671515.exe
        192⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671578.exe
        193⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2920
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        194⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671796.exe
        195⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671859.exe
        195⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671968.exe
        196⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3348
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        197⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672250.exe
        198⤵
        Checks computer location settings
        
        PID:2724
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        199⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672484.exe
        200⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672562.exe
        200⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672671.exe
        201⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672687.exe
        201⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672875.exe
        202⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672984.exe
        203⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        204⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674625.exe
        205⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675062.exe
        205⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673093.exe
        203⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672828.exe
        202⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672359.exe
        198⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672500.exe
        199⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672546.exe
        199⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672750.exe
        200⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672843.exe
        200⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673031.exe
        201⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673109.exe
        201⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672078.exe
        196⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672171.exe
        197⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672265.exe
        197⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672328.exe
        198⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672406.exe
        198⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671671.exe
        193⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671765.exe
        194⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        195⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672046.exe
        196⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672109.exe
        196⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672453.exe
        197⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672515.exe
        198⤵
        Modifies registry class
        
        PID:3324
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        199⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672734.exe
        200⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672812.exe
        200⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672890.exe
        201⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672906.exe
        201⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672968.exe
        202⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673046.exe
        202⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673203.exe
        203⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674640.exe
        203⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672578.exe
        198⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672703.exe
        199⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        200⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673000.exe
        201⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673125.exe
        201⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673234.exe
        202⤵
        
        PID:4776
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        203⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675078.exe
        204⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        205⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675421.exe
        206⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675437.exe
        206⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675515.exe
        207⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675640.exe
        207⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675687.exe
        208⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675703.exe
        208⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675718.exe
        209⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675781.exe
        209⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675203.exe
        204⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675265.exe
        205⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675296.exe
        205⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675375.exe
        206⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675453.exe
        207⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675468.exe
        207⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675359.exe
        206⤵
        Modifies registry class
        
        PID:4792
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        207⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675671.exe
        208⤵
        Modifies registry class
        
        PID:1568
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        209⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675875.exe
        210⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1560
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        211⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676093.exe
        212⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        213⤵
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676281.exe
        214⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        215⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676515.exe
        216⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3716
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        217⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676812.exe
        218⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676828.exe
        218⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676875.exe
        219⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676921.exe
        219⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676984.exe
        220⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677015.exe
        221⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4020
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        222⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677234.exe
        223⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        224⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677484.exe
        225⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        226⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677718.exe
        227⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1860
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        228⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677937.exe
        229⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677953.exe
        229⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678015.exe
        230⤵
        Checks computer location settings
        
        PID:4016
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        231⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678312.exe
        232⤵
        Checks computer location settings
        
        PID:3056
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        233⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678531.exe
        234⤵
        Checks computer location settings
        
        PID:1260
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        235⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678750.exe
        236⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678812.exe
        236⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678875.exe
        237⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678921.exe
        237⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678953.exe
        238⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678984.exe
        238⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679031.exe
        239⤵
        
        PID:3780
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        240⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679187.exe
        241⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679218.exe
        241⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679281.exe
        242⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679296.exe
        242⤵
        Drops file in System32 directory
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679343.exe
        243⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        244⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679562.exe
        245⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679593.exe
        245⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679625.exe
        246⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679687.exe
        246⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679843.exe
        247⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679875.exe
        247⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679953.exe
        248⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680000.exe
        248⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679359.exe
        243⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679375.exe
        244⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679390.exe
        244⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679046.exe
        239⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678578.exe
        234⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678593.exe
        235⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678718.exe
        235⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678765.exe
        236⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        237⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679078.exe
        238⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679093.exe
        238⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679125.exe
        239⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679140.exe
        239⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679171.exe
        240⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        241⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679437.exe
        242⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679484.exe
        242⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679515.exe
        243⤵
        Drops file in System32 directory
        
        PID:5092
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        244⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679703.exe
        245⤵
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        246⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679906.exe
        247⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        248⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680093.exe
        249⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680125.exe
        250⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680250.exe
        250⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680281.exe
        251⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680296.exe
        251⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680312.exe
        252⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680390.exe
        252⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680062.exe
        249⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        250⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680484.exe
        251⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680500.exe
        251⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680531.exe
        252⤵
        
        PID:360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680546.exe
        252⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680578.exe
        253⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680625.exe
        253⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681312.exe
        254⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681406.exe
        254⤵
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679968.exe
        247⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679984.exe
        248⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680031.exe
        248⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680078.exe
        249⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680375.exe
        249⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680421.exe
        250⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4568
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        251⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680593.exe
        252⤵
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        253⤵
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681531.exe
        254⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681562.exe
        254⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681593.exe
        255⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1480
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        256⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681890.exe
        257⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3668
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        258⤵
        Checks computer location settings
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682109.exe
        259⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        260⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682296.exe
        261⤵
        
        PID:2540
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        262⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682437.exe
        263⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682453.exe
        263⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682375.exe
        261⤵
        
        PID:240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682406.exe
        262⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682156.exe
        259⤵
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682218.exe
        260⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682234.exe
        260⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681906.exe
        257⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681921.exe
        258⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681937.exe
        258⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681953.exe
        259⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681968.exe
        259⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682000.exe
        260⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682031.exe
        260⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682078.exe
        261⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682093.exe
        261⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682156.exe
        262⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682171.exe
        263⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682250.exe
        263⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682265.exe
        264⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682281.exe
        264⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682343.exe
        265⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682484.exe
        265⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682187.exe
        262⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681640.exe
        255⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681718.exe
        256⤵
        
        PID:1460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681750.exe
        256⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681796.exe
        257⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681812.exe
        257⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681843.exe
        258⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681859.exe
        258⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680609.exe
        252⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681078.exe
        253⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681265.exe
        253⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681328.exe
        254⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681375.exe
        254⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681453.exe
        255⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681484.exe
        255⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680453.exe
        250⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679750.exe
        245⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679781.exe
        246⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679890.exe
        246⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680109.exe
        247⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680156.exe
        247⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680203.exe
        248⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680328.exe
        248⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679578.exe
        243⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679609.exe
        244⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679671.exe
        244⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679765.exe
        245⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679812.exe
        245⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679265.exe
        240⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679453.exe
        241⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679468.exe
        241⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678796.exe
        236⤵
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678828.exe
        237⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678890.exe
        237⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678375.exe
        232⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678437.exe
        233⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678468.exe
        233⤵
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678484.exe
        234⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678500.exe
        234⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678656.exe
        235⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678687.exe
        235⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678046.exe
        230⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678109.exe
        231⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678140.exe
        231⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678187.exe
        232⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678218.exe
        232⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677734.exe
        227⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677750.exe
        228⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677765.exe
        228⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677843.exe
        229⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677875.exe
        229⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677906.exe
        230⤵
        Checks computer location settings
        
        PID:4208
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        231⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678062.exe
        232⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678125.exe
        232⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678171.exe
        233⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678203.exe
        233⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678281.exe
        234⤵
        
        PID:360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678296.exe
        234⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678359.exe
        235⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678453.exe
        235⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677968.exe
        230⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677500.exe
        225⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677515.exe
        226⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677562.exe
        226⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677625.exe
        227⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677640.exe
        227⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677687.exe
        228⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677812.exe
        228⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677281.exe
        223⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677328.exe
        224⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677343.exe
        224⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677375.exe
        225⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677390.exe
        225⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677437.exe
        226⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677453.exe
        226⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677078.exe
        221⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676953.exe
        220⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676546.exe
        216⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676656.exe
        217⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676703.exe
        217⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676781.exe
        218⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        219⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677031.exe
        220⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677046.exe
        220⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677093.exe
        221⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677140.exe
        221⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677171.exe
        222⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677203.exe
        222⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677250.exe
        223⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677265.exe
        223⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676796.exe
        218⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676843.exe
        219⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676890.exe
        219⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676296.exe
        214⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676312.exe
        215⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676328.exe
        215⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676359.exe
        216⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676437.exe
        216⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676468.exe
        217⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676578.exe
        217⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676125.exe
        212⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676250.exe
        213⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676265.exe
        213⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676343.exe
        214⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676453.exe
        214⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676562.exe
        215⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676687.exe
        215⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675937.exe
        210⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675984.exe
        211⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676046.exe
        211⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676109.exe
        212⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676140.exe
        212⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676171.exe
        213⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676203.exe
        213⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675765.exe
        208⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675828.exe
        209⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675890.exe
        209⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675906.exe
        210⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675953.exe
        210⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676000.exe
        211⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676015.exe
        211⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673296.exe
        202⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675062.exe
        203⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675125.exe
        203⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675281.exe
        204⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675234.exe
        204⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672796.exe
        199⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672390.exe
        197⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671937.exe
        194⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672125.exe
        195⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672218.exe
        195⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671312.exe
        190⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671390.exe
        191⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671546.exe
        191⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670921.exe
        189⤵
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670953.exe
        186⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669312.exe
        181⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650203.exe
        176⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655000.exe
        177⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4712
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        178⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668234.exe
        177⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668765.exe
        178⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668890.exe
        179⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668984.exe
        179⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669125.exe
        180⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669296.exe
        180⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649765.exe
        174⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646781.exe
        169⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647015.exe
        170⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647046.exe
        170⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647640.exe
        171⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647828.exe
        171⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648171.exe
        172⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648203.exe
        172⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646281.exe
        167⤵
        
        PID:2212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646437.exe
        168⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646703.exe
        168⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644015.exe
        163⤵
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615937.exe
        158⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622328.exe
        159⤵
        
        PID:3240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628640.exe
        159⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633718.exe
        160⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641421.exe
        160⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642203.exe
        161⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642234.exe
        161⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606265.exe
        156⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612234.exe
        157⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620328.exe
        157⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622296.exe
        158⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632546.exe
        158⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637171.exe
        159⤵
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641640.exe
        159⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605390.exe
        154⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605671.exe
        155⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668593.exe
        153⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668656.exe
        154⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668718.exe
        154⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669500.exe
        155⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669562.exe
        155⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669828.exe
        156⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669859.exe
        156⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668546.exe
        153⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603390.exe
        150⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603546.exe
        151⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604359.exe
        151⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605046.exe
        152⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605125.exe
        152⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602265.exe
        147⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602546.exe
        148⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602921.exe
        148⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603218.exe
        149⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603406.exe
        149⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600625.exe
        144⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600812.exe
        145⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600859.exe
        145⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600968.exe
        146⤵
        
        PID:1676
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601031.exe
        146⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601125.exe
        147⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        148⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602796.exe
        149⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603046.exe
        149⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603250.exe
        150⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602609.exe
        147⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600390.exe
        142⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600484.exe
        143⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600500.exe
        143⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600609.exe
        144⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600656.exe
        144⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600781.exe
        145⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600796.exe
        145⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600046.exe
        140⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600140.exe
        141⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600218.exe
        141⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599531.exe
        136⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599562.exe
        137⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599578.exe
        137⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598921.exe
        132⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599046.exe
        133⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599093.exe
        133⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599203.exe
        134⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599250.exe
        134⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599328.exe
        135⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599359.exe
        135⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598765.exe
        130⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598843.exe
        131⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598875.exe
        131⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598515.exe
        126⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591906.exe
        121⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590671.exe
        116⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591312.exe
        117⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591328.exe
        117⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591437.exe
        118⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591500.exe
        118⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591531.exe
        119⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591593.exe
        119⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590437.exe
        114⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589625.exe
        109⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588765.exe
        104⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589109.exe
        105⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589140.exe
        105⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589265.exe
        106⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589359.exe
        106⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589375.exe
        107⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589390.exe
        107⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588328.exe
        102⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588359.exe
        103⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588578.exe
        103⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588609.exe
        104⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588656.exe
        104⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588109.exe
        100⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588156.exe
        101⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588171.exe
        101⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587937.exe
        98⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588000.exe
        99⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588015.exe
        99⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587437.exe
        96⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587484.exe
        97⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587843.exe
        97⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587234.exe
        94⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587265.exe
        95⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587296.exe
        95⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573859.exe
        92⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573890.exe
        93⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573906.exe
        93⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573625.exe
        90⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573671.exe
        91⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573718.exe
        91⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573359.exe
        88⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573406.exe
        89⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573421.exe
        89⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573031.exe
        86⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573062.exe
        87⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240573093.exe
        87⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572812.exe
        84⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572875.exe
        85⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572859.exe
        85⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572578.exe
        82⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572703.exe
        83⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572718.exe
        83⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572328.exe
        80⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572359.exe
        81⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572375.exe
        81⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240572125.exe
        78⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240571218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240571218.exe
        75⤵
        
        PID:360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240571265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240571265.exe
        76⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240571281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240571281.exe
        76⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570984.exe
        73⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240571015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240571015.exe
        74⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240571031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240571031.exe
        74⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570312.exe
        71⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570343.exe
        72⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570359.exe
        72⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570156.exe
        69⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570171.exe
        70⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570203.exe
        70⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240569890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240569890.exe
        67⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240569937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240569937.exe
        68⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240570000.exe
        68⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240568671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240568671.exe
        65⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240568500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240568500.exe
        63⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240565687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240565687.exe
        61⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560421.exe
        59⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560203.exe
        57⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559984.exe
        55⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559781.exe
        53⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559562.exe
        51⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559343.exe
        49⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559140.exe
        47⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558906.exe
        45⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558687.exe
        43⤵
        Executes dropped EXE
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558421.exe
        41⤵
        Executes dropped EXE
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558218.exe
        39⤵
        Executes dropped EXE
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557953.exe
        37⤵
        Executes dropped EXE
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557703.exe
        35⤵
        Executes dropped EXE
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557468.exe
        33⤵
        Executes dropped EXE
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557234.exe
        31⤵
        Executes dropped EXE
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557000.exe
        29⤵
        Executes dropped EXE
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556750.exe
        27⤵
        Executes dropped EXE
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556515.exe
        25⤵
        Executes dropped EXE
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556281.exe
        23⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555984.exe
        21⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555640.exe
        19⤵
        Executes dropped EXE
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555265.exe
        17⤵
        Executes dropped EXE
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Temp\tmp240554734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240554734.exe
        15⤵
        Executes dropped EXE
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240554375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240554375.exe
        13⤵
        Executes dropped EXE
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240554000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240554000.exe
        11⤵
        Executes dropped EXE
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240552968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240552968.exe
        9⤵
        Executes dropped EXE
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240552671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240552671.exe
        7⤵
        Executes dropped EXE
        
        PID:4344
    - - C:\Users\Admin\AppData\Local\Temp\tmp240552359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240552359.exe
        5⤵
        Executes dropped EXE
        
        PID:4684
- - C:\Users\Admin\AppData\Local\Temp\tmp240551984.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240551984.exe
    3⤵
    - Executes dropped EXE
    PID:4808

C:\Users\Admin\AppData\Local\Temp\tmp240603875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240603875.exe
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:5112
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1400
- - C:\Users\Admin\AppData\Local\Temp\tmp240604531.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240604531.exe
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies registry class
    PID:1560
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:4644
    - - C:\Users\Admin\AppData\Local\Temp\tmp240605718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605718.exe
        5⤵
        
        PID:4580
    - - C:\Users\Admin\AppData\Local\Temp\tmp240605859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605859.exe
        5⤵
        
        PID:3148
      - C:\Users\Admin\AppData\Local\Temp\tmp240605937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605937.exe
        6⤵
        
        PID:872
      - C:\Users\Admin\AppData\Local\Temp\tmp240606125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606125.exe
        6⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606296.exe
        7⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615984.exe
        7⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622312.exe
        8⤵
        
        PID:3416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628593.exe
        8⤵
        
        PID:3752
- - C:\Users\Admin\AppData\Local\Temp\tmp240605140.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240605140.exe
    3⤵
    PID:4824
  - - C:\Users\Admin\AppData\Local\Temp\tmp240605765.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240605765.exe
      4⤵
      PID:1392
  - - C:\Users\Admin\AppData\Local\Temp\tmp240605906.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240605906.exe
      4⤵
      PID:1348
    - - C:\Users\Admin\AppData\Local\Temp\tmp240606078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606078.exe
        5⤵
        
        PID:4180
    - - C:\Users\Admin\AppData\Local\Temp\tmp240606109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606109.exe
        5⤵
        
        PID:4304
      - C:\Users\Admin\AppData\Local\Temp\tmp240609000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609000.exe
        6⤵
        
        PID:2436
      - C:\Users\Admin\AppData\Local\Temp\tmp240620343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620343.exe
        6⤵
        
        PID:3196

C:\Users\Admin\AppData\Local\Temp\tmp240668531.exe
C:\Users\Admin\AppData\Local\Temp\tmp240668531.exe
1⤵
PID:3740

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240551953.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240551953.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240551984.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552312.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552312.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552359.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552593.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552593.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552671.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552937.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552937.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240552968.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240553906.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240553906.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554000.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554234.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554234.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554375.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554656.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554656.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240554734.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240555031.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240555031.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240555265.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240555578.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240555578.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240555640.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240555843.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240555843.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240555984.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240556250.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240556250.exe

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
269KB

MD5
52c30e5069632251e223731b54da4000

SHA1
d3cd1dee81f1bcf5942f8a6dbc539aca19fc56dd

SHA256
6a1b0cbbc67c35b801fe66c3c53201142bb0e0da06353b725b111eeb5f0d1dec

SHA512
b2b6d2180d6f2681ddaef9360a62fdb7db88a141ff28a40080cab512c51e1293e8affb05e8eeb4f477df1879b0b3c2f46c1bbec47c35e47fe7ef4771ee0430a5

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
442KB

MD5
3703c290881d26788ba5a7e814851202

SHA1
e0ef8d8909a1bdfa0770a3f8cba65933bc77a369

SHA256
b4bc3c0befcdd9391f462081329954e9ddb70b4f0563f1bb0769d7da5945fe75

SHA512
29cdbe2430a5fb71054f2af98c46f9290463bbce3ebe3fbda29d84e05f1eabbff1b5d14c1a0f182890acca3d1b008cd089c03c9924f93d4de0071488a8534493

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
442KB

MD5
3703c290881d26788ba5a7e814851202

SHA1
e0ef8d8909a1bdfa0770a3f8cba65933bc77a369

SHA256
b4bc3c0befcdd9391f462081329954e9ddb70b4f0563f1bb0769d7da5945fe75

SHA512
29cdbe2430a5fb71054f2af98c46f9290463bbce3ebe3fbda29d84e05f1eabbff1b5d14c1a0f182890acca3d1b008cd089c03c9924f93d4de0071488a8534493

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
442KB

MD5
3703c290881d26788ba5a7e814851202

SHA1
e0ef8d8909a1bdfa0770a3f8cba65933bc77a369

SHA256
b4bc3c0befcdd9391f462081329954e9ddb70b4f0563f1bb0769d7da5945fe75

SHA512
29cdbe2430a5fb71054f2af98c46f9290463bbce3ebe3fbda29d84e05f1eabbff1b5d14c1a0f182890acca3d1b008cd089c03c9924f93d4de0071488a8534493

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
442KB

MD5
3703c290881d26788ba5a7e814851202

SHA1
e0ef8d8909a1bdfa0770a3f8cba65933bc77a369

SHA256
b4bc3c0befcdd9391f462081329954e9ddb70b4f0563f1bb0769d7da5945fe75

SHA512
29cdbe2430a5fb71054f2af98c46f9290463bbce3ebe3fbda29d84e05f1eabbff1b5d14c1a0f182890acca3d1b008cd089c03c9924f93d4de0071488a8534493

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
442KB

MD5
3703c290881d26788ba5a7e814851202

SHA1
e0ef8d8909a1bdfa0770a3f8cba65933bc77a369

SHA256
b4bc3c0befcdd9391f462081329954e9ddb70b4f0563f1bb0769d7da5945fe75

SHA512
29cdbe2430a5fb71054f2af98c46f9290463bbce3ebe3fbda29d84e05f1eabbff1b5d14c1a0f182890acca3d1b008cd089c03c9924f93d4de0071488a8534493

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
442KB

MD5
3703c290881d26788ba5a7e814851202

SHA1
e0ef8d8909a1bdfa0770a3f8cba65933bc77a369

SHA256
b4bc3c0befcdd9391f462081329954e9ddb70b4f0563f1bb0769d7da5945fe75

SHA512
29cdbe2430a5fb71054f2af98c46f9290463bbce3ebe3fbda29d84e05f1eabbff1b5d14c1a0f182890acca3d1b008cd089c03c9924f93d4de0071488a8534493

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
442KB

MD5
3703c290881d26788ba5a7e814851202

SHA1
e0ef8d8909a1bdfa0770a3f8cba65933bc77a369

SHA256
b4bc3c0befcdd9391f462081329954e9ddb70b4f0563f1bb0769d7da5945fe75

SHA512
29cdbe2430a5fb71054f2af98c46f9290463bbce3ebe3fbda29d84e05f1eabbff1b5d14c1a0f182890acca3d1b008cd089c03c9924f93d4de0071488a8534493

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
442KB

MD5
3703c290881d26788ba5a7e814851202

SHA1
e0ef8d8909a1bdfa0770a3f8cba65933bc77a369

SHA256
b4bc3c0befcdd9391f462081329954e9ddb70b4f0563f1bb0769d7da5945fe75

SHA512
29cdbe2430a5fb71054f2af98c46f9290463bbce3ebe3fbda29d84e05f1eabbff1b5d14c1a0f182890acca3d1b008cd089c03c9924f93d4de0071488a8534493

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
442KB

MD5
3703c290881d26788ba5a7e814851202

SHA1
e0ef8d8909a1bdfa0770a3f8cba65933bc77a369

SHA256
b4bc3c0befcdd9391f462081329954e9ddb70b4f0563f1bb0769d7da5945fe75

SHA512
29cdbe2430a5fb71054f2af98c46f9290463bbce3ebe3fbda29d84e05f1eabbff1b5d14c1a0f182890acca3d1b008cd089c03c9924f93d4de0071488a8534493

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
442KB

MD5
3703c290881d26788ba5a7e814851202

SHA1
e0ef8d8909a1bdfa0770a3f8cba65933bc77a369

SHA256
b4bc3c0befcdd9391f462081329954e9ddb70b4f0563f1bb0769d7da5945fe75

SHA512
29cdbe2430a5fb71054f2af98c46f9290463bbce3ebe3fbda29d84e05f1eabbff1b5d14c1a0f182890acca3d1b008cd089c03c9924f93d4de0071488a8534493

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
442KB

MD5
3703c290881d26788ba5a7e814851202

SHA1
e0ef8d8909a1bdfa0770a3f8cba65933bc77a369

SHA256
b4bc3c0befcdd9391f462081329954e9ddb70b4f0563f1bb0769d7da5945fe75

SHA512
29cdbe2430a5fb71054f2af98c46f9290463bbce3ebe3fbda29d84e05f1eabbff1b5d14c1a0f182890acca3d1b008cd089c03c9924f93d4de0071488a8534493

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
442KB

MD5
3703c290881d26788ba5a7e814851202

SHA1
e0ef8d8909a1bdfa0770a3f8cba65933bc77a369

SHA256
b4bc3c0befcdd9391f462081329954e9ddb70b4f0563f1bb0769d7da5945fe75

SHA512
29cdbe2430a5fb71054f2af98c46f9290463bbce3ebe3fbda29d84e05f1eabbff1b5d14c1a0f182890acca3d1b008cd089c03c9924f93d4de0071488a8534493

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
memory/224-195-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/360-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/368-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/368-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/512-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/608-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/608-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/724-174-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/724-169-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/740-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/892-285-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/892-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/896-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/924-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1148-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1260-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1280-257-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1280-255-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1544-216-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1544-208-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1592-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1624-260-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1912-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2080-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2084-143-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2084-135-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2088-187-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2088-182-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2096-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2096-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2100-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2228-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2252-288-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2404-243-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2644-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2768-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2820-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2868-251-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2976-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3000-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3148-236-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3400-264-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3488-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3496-226-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3656-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3656-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3700-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3740-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3752-205-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4044-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4152-247-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4244-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4244-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4264-163-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4552-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4596-303-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4720-281-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4772-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4788-153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4836-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4880-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4920-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4920-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4972-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download