0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

Analysis

max time kernel
136s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/11/2022, 16:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110.exe
Size

368KB
MD5

043316ad86cdf1acab1eef2e6f10ac53
SHA1

2e5d324b72f6c4d35b33a1e64b726a32d1d15739
SHA256

0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110
SHA512

92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1
SSDEEP

6144:oftdcNdPHPeftdcNdPCftdcNdPNPeftdcNSh5a0Y3q8gk76c:bdPHPFdPZdPNPFSy3SkGc

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
4968	notpad.exe
5072	tmp240555140.exe
4432	tmp240555171.exe
1408	notpad.exe
3392	tmp240555453.exe
4512	tmp240555515.exe
1580	notpad.exe
4880	tmp240555796.exe
4796	tmp240555875.exe
4724	notpad.exe
2252	tmp240556203.exe
3268	tmp240556234.exe
4368	notpad.exe
1240	tmp240556515.exe
2632	tmp240556578.exe
3080	notpad.exe
4396	tmp240556781.exe
3052	tmp240556828.exe
1316	notpad.exe
176	tmp240557140.exe
2016	tmp240557203.exe
4228	notpad.exe
3476	tmp240557671.exe
3912	tmp240557703.exe
4568	notpad.exe
4356	tmp240558015.exe
4320	tmp240558046.exe
4112	notpad.exe
3356	tmp240558328.exe
4976	tmp240558359.exe
676	notpad.exe
4916	tmp240558640.exe
1172	tmp240558687.exe
2636	notpad.exe
1564	tmp240558968.exe
3428	notpad.exe
3668	tmp240558984.exe
3640	tmp240559171.exe
4620	tmp240559578.exe
3180	notpad.exe
1592	tmp240559796.exe
1924	tmp240559828.exe
4700	notpad.exe
5028	tmp240560093.exe
1112	tmp240560140.exe
3164	notpad.exe
2248	tmp240560359.exe
736	tmp240560390.exe
2224	notpad.exe
3472	tmp240560578.exe
1796	tmp240560671.exe
2584	notpad.exe
4204	tmp240560843.exe
728	tmp240560859.exe
460	notpad.exe
3284	tmp240561046.exe
3352	tmp240561062.exe
2596	notpad.exe
2972	tmp240561250.exe
4352	notpad.exe
4104	tmp240576031.exe
5056	tmp240577687.exe
5072	tmp240575875.exe
4512	notpad.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000022e34-133.dat	upx
behavioral2/files/0x0007000000022e34-134.dat	upx
behavioral2/files/0x0009000000022e01-139.dat	upx
behavioral2/memory/4968-142-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e34-144.dat	upx
behavioral2/files/0x0009000000022e01-149.dat	upx
behavioral2/memory/1408-152-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e34-154.dat	upx
behavioral2/files/0x0009000000022e01-158.dat	upx
behavioral2/memory/1580-162-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e34-164.dat	upx
behavioral2/memory/4724-172-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0009000000022e01-169.dat	upx
behavioral2/files/0x0007000000022e34-174.dat	upx
behavioral2/memory/4368-182-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0009000000022e01-178.dat	upx
behavioral2/files/0x0007000000022e34-184.dat	upx
behavioral2/files/0x0009000000022e01-188.dat	upx
behavioral2/memory/3080-192-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e34-194.dat	upx
behavioral2/files/0x0009000000022e01-198.dat	upx
behavioral2/memory/1316-200-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1316-203-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e34-205.dat	upx
behavioral2/memory/4228-213-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0009000000022e01-210.dat	upx
behavioral2/files/0x0007000000022e34-215.dat	upx
behavioral2/files/0x0009000000022e01-220.dat	upx
behavioral2/memory/4568-223-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e34-225.dat	upx
behavioral2/files/0x0009000000022e01-230.dat	upx
behavioral2/memory/4112-233-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022e34-235.dat	upx
behavioral2/memory/676-240-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2636-244-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3428-245-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2636-248-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3428-250-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3180-254-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4700-258-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3164-262-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2224-266-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2584-270-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/460-274-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2596-276-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4352-279-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4352-283-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2596-284-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4512-286-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3972-287-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4880-288-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4232-289-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2624-290-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3700-291-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2312-292-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3916-293-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3940-294-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3916-295-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3940-296-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5088-297-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1740-298-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2692-299-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2328-300-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4312-301-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240668125.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240673109.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240685234.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240681109.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240679203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240684968.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240645687.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240595953.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240665312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240681296.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240560843.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240578156.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240597265.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240597531.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240662937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240667296.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240681890.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240682546.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240558968.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240595062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240673656.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240684046.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240559171.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240596484.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240676703.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240683546.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240600062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240611031.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240667031.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240646875.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240669218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240672140.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240675421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240683000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240555796.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240579875.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240603625.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240669015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240670250.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240561046.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240603437.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240678812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240683859.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240595437.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240601296.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240678796.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240685203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240601609.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240652921.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240632906.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240648312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240682687.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240558015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240598625.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240605500.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240669734.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240557671.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240592406.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240666203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240671921.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240555140.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240576031.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	tmp240642890.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notpad.exe	tmp240667031.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240667296.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240675687.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240598921.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240632906.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240642890.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240657812.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240657812.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240680781.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240557671.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240558968.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240595953.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240596140.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240598015.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240599468.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240666796.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240644703.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240685156.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240576031.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240645437.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240672640.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240673296.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240673968.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240680781.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240682687.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240560093.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240596484.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240600921.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240646046.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240668359.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240679203.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240597531.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240682687.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240599468.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240607703.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240665968.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240675421.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240645687.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240560578.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240672421.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240594796.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240611203.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240640453.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240646328.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240667031.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240667718.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240685203.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240595062.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240607703.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240644093.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240555796.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240559171.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240674375.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240683203.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240555140.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240662937.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240674609.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240678796.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240578953.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240592187.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240610812.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240665968.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240667296.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240670078.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240597531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240642890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240675687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240683000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240683390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240560359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240600921.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240665750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240666640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240672890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240591953.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240578953.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240592187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240596953.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240598015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240611203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240681296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240681578.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240610812.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240670468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240672640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240673109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240558328.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240672421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240673968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240678812.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240681890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240684046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240669500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240597265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240600328.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240602953.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240641375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240645687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240683546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240558015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240580015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240640906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240682546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240577937.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240599468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240644093.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240665968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240666453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240669734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240684671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240595062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240598921.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240603625.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240605906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240680250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240596484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240561250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240576031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240580921.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240598625.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240648312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240665312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240666796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240558968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240667906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240595687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240560578.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 4968	2972	0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110.exe	80
PID 2972 wrote to memory of 4968	2972	0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110.exe	80
PID 2972 wrote to memory of 4968	2972	0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110.exe	80
PID 4968 wrote to memory of 5072	4968	notpad.exe	81
PID 4968 wrote to memory of 5072	4968	notpad.exe	81
PID 4968 wrote to memory of 5072	4968	notpad.exe	81
PID 4968 wrote to memory of 4432	4968	notpad.exe	82
PID 4968 wrote to memory of 4432	4968	notpad.exe	82
PID 4968 wrote to memory of 4432	4968	notpad.exe	82
PID 5072 wrote to memory of 1408	5072	tmp240555140.exe	83
PID 5072 wrote to memory of 1408	5072	tmp240555140.exe	83
PID 5072 wrote to memory of 1408	5072	tmp240555140.exe	83
PID 1408 wrote to memory of 3392	1408	notpad.exe	84
PID 1408 wrote to memory of 3392	1408	notpad.exe	84
PID 1408 wrote to memory of 3392	1408	notpad.exe	84
PID 1408 wrote to memory of 4512	1408	notpad.exe	85
PID 1408 wrote to memory of 4512	1408	notpad.exe	85
PID 1408 wrote to memory of 4512	1408	notpad.exe	85
PID 3392 wrote to memory of 1580	3392	tmp240555453.exe	86
PID 3392 wrote to memory of 1580	3392	tmp240555453.exe	86
PID 3392 wrote to memory of 1580	3392	tmp240555453.exe	86
PID 1580 wrote to memory of 4880	1580	notpad.exe	87
PID 1580 wrote to memory of 4880	1580	notpad.exe	87
PID 1580 wrote to memory of 4880	1580	notpad.exe	87
PID 1580 wrote to memory of 4796	1580	notpad.exe	88
PID 1580 wrote to memory of 4796	1580	notpad.exe	88
PID 1580 wrote to memory of 4796	1580	notpad.exe	88
PID 4880 wrote to memory of 4724	4880	tmp240555796.exe	89
PID 4880 wrote to memory of 4724	4880	tmp240555796.exe	89
PID 4880 wrote to memory of 4724	4880	tmp240555796.exe	89
PID 4724 wrote to memory of 2252	4724	notpad.exe	90
PID 4724 wrote to memory of 2252	4724	notpad.exe	90
PID 4724 wrote to memory of 2252	4724	notpad.exe	90
PID 4724 wrote to memory of 3268	4724	notpad.exe	91
PID 4724 wrote to memory of 3268	4724	notpad.exe	91
PID 4724 wrote to memory of 3268	4724	notpad.exe	91
PID 2252 wrote to memory of 4368	2252	tmp240556203.exe	92
PID 2252 wrote to memory of 4368	2252	tmp240556203.exe	92
PID 2252 wrote to memory of 4368	2252	tmp240556203.exe	92
PID 4368 wrote to memory of 1240	4368	notpad.exe	93
PID 4368 wrote to memory of 1240	4368	notpad.exe	93
PID 4368 wrote to memory of 1240	4368	notpad.exe	93
PID 4368 wrote to memory of 2632	4368	notpad.exe	94
PID 4368 wrote to memory of 2632	4368	notpad.exe	94
PID 4368 wrote to memory of 2632	4368	notpad.exe	94
PID 1240 wrote to memory of 3080	1240	tmp240556515.exe	95
PID 1240 wrote to memory of 3080	1240	tmp240556515.exe	95
PID 1240 wrote to memory of 3080	1240	tmp240556515.exe	95
PID 3080 wrote to memory of 4396	3080	notpad.exe	96
PID 3080 wrote to memory of 4396	3080	notpad.exe	96
PID 3080 wrote to memory of 4396	3080	notpad.exe	96
PID 3080 wrote to memory of 3052	3080	notpad.exe	97
PID 3080 wrote to memory of 3052	3080	notpad.exe	97
PID 3080 wrote to memory of 3052	3080	notpad.exe	97
PID 4396 wrote to memory of 1316	4396	tmp240556781.exe	98
PID 4396 wrote to memory of 1316	4396	tmp240556781.exe	98
PID 4396 wrote to memory of 1316	4396	tmp240556781.exe	98
PID 1316 wrote to memory of 176	1316	notpad.exe	99
PID 1316 wrote to memory of 176	1316	notpad.exe	99
PID 1316 wrote to memory of 176	1316	notpad.exe	99
PID 1316 wrote to memory of 2016	1316	notpad.exe	100
PID 1316 wrote to memory of 2016	1316	notpad.exe	100
PID 1316 wrote to memory of 2016	1316	notpad.exe	100
PID 176 wrote to memory of 4228	176	tmp240557140.exe	101

C:\Users\Admin\AppData\Local\Temp\0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110.exe
"C:\Users\Admin\AppData\Local\Temp\0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Users\Admin\AppData\Local\Temp\tmp240555140.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240555140.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1408
    - - C:\Users\Admin\AppData\Local\Temp\tmp240555453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555453.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3392
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555796.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4880
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556203.exe
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556515.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556781.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557140.exe
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:176
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        Executes dropped EXE
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557671.exe
        17⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3476
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        Executes dropped EXE
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558015.exe
        19⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        Executes dropped EXE
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558328.exe
        21⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3356
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        Executes dropped EXE
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558640.exe
        23⤵
        Executes dropped EXE
        
        PID:4916
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        Executes dropped EXE
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558968.exe
        25⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1564
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        Executes dropped EXE
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559171.exe
        27⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3640
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        Executes dropped EXE
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559796.exe
        29⤵
        Executes dropped EXE
        
        PID:1592
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        Executes dropped EXE
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560093.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        Executes dropped EXE
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560359.exe
        33⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2248
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        Executes dropped EXE
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560578.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3472
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        Executes dropped EXE
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560843.exe
        37⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:4204
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        38⤵
        Executes dropped EXE
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240561046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240561046.exe
        39⤵
        Executes dropped EXE
        Checks computer location settings
        
        PID:3284
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        40⤵
        Executes dropped EXE
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240561250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240561250.exe
        41⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        Executes dropped EXE
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240576031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240576031.exe
        43⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4104
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        44⤵
        Executes dropped EXE
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240577937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240577937.exe
        45⤵
        Modifies registry class
        
        PID:3444
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        46⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240578156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240578156.exe
        47⤵
        Checks computer location settings
        
        PID:4796
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        48⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240578734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240578734.exe
        49⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        50⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240578953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240578953.exe
        51⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4444
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        52⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240579171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240579171.exe
        53⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240579875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240579875.exe
        55⤵
        Checks computer location settings
        
        PID:3080
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        56⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240580046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240580046.exe
        57⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240580015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240580015.exe
        57⤵
        Modifies registry class
        
        PID:4468
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240580171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240580171.exe
        59⤵
        
        PID:3692
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        60⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240580921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240580921.exe
        61⤵
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        62⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591234.exe
        63⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        64⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591453.exe
        65⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        66⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591953.exe
        67⤵
        Modifies registry class
        
        PID:5104
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        68⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592187.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2552
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        70⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592406.exe
        71⤵
        Checks computer location settings
        
        PID:3820
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        72⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594796.exe
        73⤵
        Drops file in System32 directory
        
        PID:2304
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        74⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595062.exe
        75⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1724
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        76⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595437.exe
        77⤵
        Checks computer location settings
        
        PID:1404
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        78⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595687.exe
        79⤵
        Modifies registry class
        
        PID:4200
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        80⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595953.exe
        81⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:728
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        82⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596140.exe
        83⤵
        Drops file in System32 directory
        
        PID:460
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        84⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596484.exe
        85⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3696
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        86⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596687.exe
        87⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        88⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596953.exe
        89⤵
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        90⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597265.exe
        91⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3784
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        92⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597531.exe
        93⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4720
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        94⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597796.exe
        95⤵
        
        PID:2308
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        96⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598015.exe
        97⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1424
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        98⤵
        
        PID:204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598312.exe
        99⤵
        
        PID:32
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        100⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598625.exe
        101⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2536
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        102⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598921.exe
        103⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1708
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        104⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599218.exe
        105⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        106⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599468.exe
        107⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        108⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599781.exe
        109⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        110⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600062.exe
        111⤵
        Checks computer location settings
        
        PID:5012
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        112⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600328.exe
        113⤵
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        114⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600593.exe
        115⤵
        
        PID:388
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        116⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600921.exe
        117⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3552
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        118⤵
        
        PID:3764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601296.exe
        119⤵
        Checks computer location settings
        
        PID:2464
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        120⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601609.exe
        121⤵
        Checks computer location settings
        
        PID:2248
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        122⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602953.exe
        123⤵
        Modifies registry class
        
        PID:2768
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        124⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603203.exe
        125⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        126⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603437.exe
        127⤵
        Checks computer location settings
        
        PID:984
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        128⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603625.exe
        129⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3196
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        130⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604187.exe
        131⤵
        
        PID:456
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        132⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604390.exe
        133⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        134⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605500.exe
        135⤵
        Checks computer location settings
        
        PID:4720
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        136⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605750.exe
        137⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        138⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605906.exe
        139⤵
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        140⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607453.exe
        141⤵
        
        PID:3500
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        142⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607703.exe
        143⤵
        Drops file in System32 directory
        
        PID:2536
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        144⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607921.exe
        145⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        146⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609312.exe
        147⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        148⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609484.exe
        149⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        150⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609687.exe
        151⤵
        
        PID:4864
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        152⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610812.exe
        153⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        154⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611031.exe
        155⤵
        Checks computer location settings
        
        PID:772
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        156⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611203.exe
        157⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3816
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        158⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632906.exe
        159⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        160⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640453.exe
        161⤵
        Drops file in System32 directory
        
        PID:4200
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        162⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640906.exe
        163⤵
        Modifies registry class
        
        PID:8
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        164⤵
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641375.exe
        165⤵
        Modifies registry class
        
        PID:2968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        166⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641859.exe
        167⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        168⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642343.exe
        169⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        170⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643125.exe
        171⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643375.exe
        171⤵
        
        PID:32
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643890.exe
        172⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643953.exe
        172⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642781.exe
        169⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642890.exe
        170⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:808
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        171⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643812.exe
        172⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        173⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644093.exe
        174⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5080
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        175⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644703.exe
        176⤵
        Drops file in System32 directory
        
        PID:2040
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        177⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645437.exe
        178⤵
        Drops file in System32 directory
        
        PID:676
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        179⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645781.exe
        180⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645921.exe
        180⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646046.exe
        181⤵
        Drops file in System32 directory
        
        PID:2688
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        182⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646328.exe
        183⤵
        Drops file in System32 directory
        
        PID:4052
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        184⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646609.exe
        185⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        186⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646875.exe
        187⤵
        Checks computer location settings
        
        PID:1844
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        188⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647171.exe
        189⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        190⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648312.exe
        191⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        192⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652921.exe
        193⤵
        Checks computer location settings
        
        PID:4352
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        194⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657203.exe
        195⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658828.exe
        195⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665203.exe
        196⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665281.exe
        196⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653734.exe
        193⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657812.exe
        194⤵
        Drops file in System32 directory
        
        PID:3060
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        195⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662937.exe
        196⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3576
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        197⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665312.exe
        198⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        199⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665468.exe
        200⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        201⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665750.exe
        202⤵
        Modifies registry class
        
        PID:4400
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        203⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665968.exe
        204⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        205⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666250.exe
        206⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666281.exe
        207⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666312.exe
        207⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666203.exe
        206⤵
        Checks computer location settings
        
        PID:1484
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        207⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666453.exe
        208⤵
        Modifies registry class
        
        PID:3668
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        209⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666687.exe
        210⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666718.exe
        210⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666765.exe
        211⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666781.exe
        211⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666796.exe
        212⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        213⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667031.exe
        214⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1560
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        215⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667296.exe
        216⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3720
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        217⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667578.exe
        218⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667609.exe
        218⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667656.exe
        219⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667703.exe
        219⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667781.exe
        220⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667843.exe
        220⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667343.exe
        216⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667437.exe
        217⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667468.exe
        217⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667546.exe
        218⤵
        
        PID:460
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        219⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667718.exe
        220⤵
        Drops file in System32 directory
        
        PID:2424
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        221⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667906.exe
        222⤵
        Modifies registry class
        
        PID:3408
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        223⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668125.exe
        224⤵
        Checks computer location settings
        
        PID:924
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        225⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668359.exe
        226⤵
        Drops file in System32 directory
        
        PID:3940
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        227⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669015.exe
        228⤵
        Checks computer location settings
        
        PID:5076
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        229⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669218.exe
        230⤵
        Checks computer location settings
        
        PID:4636
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        231⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669437.exe
        232⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669453.exe
        232⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669500.exe
        233⤵
        Modifies registry class
        
        PID:4916
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        234⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669734.exe
        235⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1640
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        236⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670078.exe
        237⤵
        Drops file in System32 directory
        
        PID:1084
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        238⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670281.exe
        239⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670312.exe
        239⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670359.exe
        240⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670375.exe
        240⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670390.exe
        241⤵
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670421.exe
        241⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670453.exe
        242⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670500.exe
        242⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670093.exe
        237⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670125.exe
        238⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670140.exe
        238⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670203.exe
        239⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670218.exe
        239⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670250.exe
        240⤵
        Checks computer location settings
        
        PID:3012
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        241⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670468.exe
        242⤵
        Modifies registry class
        
        PID:3980
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        243⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670656.exe
        244⤵
        
        PID:332
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671093.exe
        244⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671218.exe
        245⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671265.exe
        245⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671312.exe
        246⤵
        
        PID:3284
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        247⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671671.exe
        248⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671734.exe
        248⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671781.exe
        249⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671796.exe
        249⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671828.exe
        250⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671843.exe
        250⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671875.exe
        251⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671984.exe
        251⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671343.exe
        246⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671375.exe
        247⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671500.exe
        247⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670484.exe
        242⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670531.exe
        243⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670578.exe
        243⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670609.exe
        244⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670625.exe
        244⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670671.exe
        245⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        246⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671296.exe
        247⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671406.exe
        247⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671484.exe
        248⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671515.exe
        248⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671546.exe
        249⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671593.exe
        249⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671656.exe
        250⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        251⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671921.exe
        252⤵
        Checks computer location settings
        
        PID:4748
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        253⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672171.exe
        254⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672281.exe
        254⤵
        
        PID:1000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672343.exe
        255⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672406.exe
        255⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672484.exe
        256⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672562.exe
        256⤵
        
        PID:3456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672640.exe
        257⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        258⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672906.exe
        259⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672953.exe
        259⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673031.exe
        260⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673046.exe
        260⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673062.exe
        261⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673093.exe
        261⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673125.exe
        262⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673156.exe
        262⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672671.exe
        257⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671953.exe
        252⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672046.exe
        253⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672093.exe
        253⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672140.exe
        254⤵
        Checks computer location settings
        
        PID:2152
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        255⤵
        
        PID:3672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672421.exe
        256⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:724
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        257⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672656.exe
        258⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672734.exe
        258⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672781.exe
        259⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672828.exe
        259⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672921.exe
        260⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672968.exe
        261⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672984.exe
        261⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672890.exe
        260⤵
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        261⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673109.exe
        262⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        263⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673296.exe
        264⤵
        Drops file in System32 directory
        
        PID:1480
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        265⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673671.exe
        266⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673687.exe
        266⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673796.exe
        267⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673812.exe
        267⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673859.exe
        268⤵
        
        PID:744
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        269⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673984.exe
        270⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674000.exe
        270⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674562.exe
        271⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674578.exe
        271⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674609.exe
        272⤵
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        273⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674843.exe
        274⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        275⤵
        
        PID:676
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675140.exe
        276⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675171.exe
        276⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675250.exe
        277⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675265.exe
        277⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675343.exe
        278⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675359.exe
        278⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675421.exe
        279⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3800
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        280⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675562.exe
        281⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        282⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675687.exe
        283⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4044
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        284⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675843.exe
        285⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        286⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676140.exe
        287⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        288⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676296.exe
        289⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        290⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676437.exe
        289⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676515.exe
        290⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        291⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676703.exe
        292⤵
        Checks computer location settings
        
        PID:2596
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        293⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676906.exe
        294⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676953.exe
        294⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677015.exe
        295⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677031.exe
        295⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677078.exe
        296⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677093.exe
        296⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677125.exe
        297⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        298⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677343.exe
        299⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        300⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677828.exe
        301⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677859.exe
        301⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677906.exe
        302⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677921.exe
        302⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677968.exe
        303⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        304⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678218.exe
        305⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        306⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678593.exe
        307⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678734.exe
        307⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678750.exe
        308⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678765.exe
        308⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679015.exe
        309⤵
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679062.exe
        309⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679421.exe
        310⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679453.exe
        310⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679781.exe
        311⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        312⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680250.exe
        313⤵
        Modifies registry class
        
        PID:3456
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        314⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680437.exe
        315⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        316⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680734.exe
        317⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        318⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681328.exe
        319⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681375.exe
        319⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681546.exe
        320⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681562.exe
        320⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681718.exe
        321⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        322⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682468.exe
        323⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682531.exe
        323⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682687.exe
        324⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4712
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        325⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683203.exe
        326⤵
        Drops file in System32 directory
        
        PID:832
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        327⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683937.exe
        328⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684046.exe
        328⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683234.exe
        326⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683390.exe
        327⤵
        Modifies registry class
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683546.exe
        328⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2620
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        329⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683906.exe
        330⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684109.exe
        330⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684187.exe
        331⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684234.exe
        331⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684515.exe
        332⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684625.exe
        332⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684750.exe
        333⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684843.exe
        333⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685203.exe
        334⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683562.exe
        328⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683609.exe
        329⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683812.exe
        329⤵
        
        PID:204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683859.exe
        330⤵
        Checks computer location settings
        
        PID:808
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        331⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684046.exe
        332⤵
        Checks computer location settings
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        333⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684531.exe
        334⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684578.exe
        334⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684687.exe
        335⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684828.exe
        335⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684890.exe
        336⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684921.exe
        336⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685031.exe
        337⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685171.exe
        338⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684640.exe
        332⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684703.exe
        333⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685000.exe
        333⤵
        
        PID:1444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685015.exe
        334⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685046.exe
        334⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685062.exe
        335⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685078.exe
        335⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685156.exe
        336⤵
        Drops file in System32 directory
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685250.exe
        336⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683359.exe
        327⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682718.exe
        324⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682734.exe
        325⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683046.exe
        325⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683265.exe
        326⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683312.exe
        326⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684187.exe
        327⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684250.exe
        327⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681750.exe
        321⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681890.exe
        322⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4636
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        323⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682296.exe
        324⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682343.exe
        324⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683062.exe
        325⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683250.exe
        325⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683296.exe
        326⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683375.exe
        326⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683718.exe
        327⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683953.exe
        327⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683968.exe
        328⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683984.exe
        328⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681906.exe
        322⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682437.exe
        323⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682500.exe
        323⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680828.exe
        317⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680984.exe
        318⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681109.exe
        319⤵
        Checks computer location settings
        
        PID:2972
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        320⤵
        
        PID:176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681296.exe
        321⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        322⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681765.exe
        323⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681781.exe
        323⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681921.exe
        324⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681937.exe
        324⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681968.exe
        325⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682000.exe
        325⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682609.exe
        326⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682968.exe
        326⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683109.exe
        327⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683828.exe
        327⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681593.exe
        321⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681609.exe
        322⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681640.exe
        322⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681687.exe
        323⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681796.exe
        323⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681843.exe
        324⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681859.exe
        324⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682562.exe
        325⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683765.exe
        325⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684968.exe
        322⤵
        Checks computer location settings
        
        PID:440
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        323⤵
        
        PID:3196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685234.exe
        324⤵
        Checks computer location settings
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681140.exe
        319⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681187.exe
        320⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681203.exe
        320⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681343.exe
        321⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681359.exe
        321⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680578.exe
        315⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681156.exe
        316⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681250.exe
        316⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681265.exe
        317⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681281.exe
        317⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681578.exe
        318⤵
        Modifies registry class
        
        PID:924
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        319⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681734.exe
        320⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682031.exe
        320⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682281.exe
        321⤵
        
        PID:2176
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        322⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682593.exe
        323⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682656.exe
        323⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683093.exe
        324⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683171.exe
        324⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683500.exe
        325⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684015.exe
        325⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684562.exe
        326⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684593.exe
        326⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684671.exe
        327⤵
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        328⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684734.exe
        327⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682328.exe
        321⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682406.exe
        322⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682546.exe
        323⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3948
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        324⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683125.exe
        325⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683531.exe
        325⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683593.exe
        326⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683640.exe
        326⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683671.exe
        327⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683781.exe
        327⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684609.exe
        328⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684859.exe
        328⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682625.exe
        323⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683000.exe
        324⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683156.exe
        324⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681875.exe
        318⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682984.exe
        319⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683078.exe
        319⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680359.exe
        313⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680546.exe
        314⤵
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680562.exe
        314⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680921.exe
        315⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681171.exe
        316⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681453.exe
        316⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681468.exe
        317⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681484.exe
        317⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680875.exe
        315⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680015.exe
        311⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678359.exe
        305⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679500.exe
        306⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        307⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679875.exe
        308⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679953.exe
        308⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680062.exe
        309⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680187.exe
        310⤵
        
        PID:3128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680203.exe
        310⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680031.exe
        309⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679515.exe
        306⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679671.exe
        307⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680421.exe
        307⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680796.exe
        308⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680781.exe
        308⤵
        Drops file in System32 directory
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678093.exe
        303⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678109.exe
        304⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678281.exe
        304⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678468.exe
        305⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        306⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678656.exe
        307⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        308⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679031.exe
        309⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679046.exe
        309⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679078.exe
        310⤵
        
        PID:3408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679093.exe
        310⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680343.exe
        311⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680406.exe
        311⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680500.exe
        312⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680625.exe
        312⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681000.exe
        313⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681015.exe
        313⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678671.exe
        307⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678687.exe
        308⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678703.exe
        308⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678796.exe
        309⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:5072
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        310⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679203.exe
        311⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3452
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        312⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679546.exe
        313⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679593.exe
        313⤵
        
        PID:1096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679687.exe
        314⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679890.exe
        314⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680046.exe
        315⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680109.exe
        316⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680515.exe
        316⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680531.exe
        317⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680609.exe
        317⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679968.exe
        315⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679281.exe
        311⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679312.exe
        312⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679328.exe
        312⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679359.exe
        313⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679375.exe
        313⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679406.exe
        314⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679937.exe
        314⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680484.exe
        315⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680640.exe
        315⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678812.exe
        309⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678828.exe
        310⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678984.exe
        310⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679250.exe
        311⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679625.exe
        311⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678484.exe
        305⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677796.exe
        299⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678031.exe
        300⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678046.exe
        300⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678078.exe
        301⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678265.exe
        301⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678390.exe
        302⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678421.exe
        302⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679109.exe
        303⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679156.exe
        303⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677140.exe
        297⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677296.exe
        298⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677312.exe
        298⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676718.exe
        292⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676734.exe
        293⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676750.exe
        293⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676796.exe
        294⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676812.exe
        294⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676859.exe
        295⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676875.exe
        295⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676921.exe
        296⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        297⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677171.exe
        298⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677187.exe
        298⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677265.exe
        299⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677281.exe
        299⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677328.exe
        300⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677359.exe
        300⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677390.exe
        301⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677437.exe
        301⤵
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677812.exe
        302⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        303⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677984.exe
        304⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678125.exe
        304⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678156.exe
        305⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678171.exe
        305⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678328.exe
        306⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678375.exe
        306⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678531.exe
        307⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678578.exe
        307⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678609.exe
        308⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678625.exe
        308⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678015.exe
        302⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676937.exe
        296⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676546.exe
        290⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676578.exe
        291⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676593.exe
        291⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676640.exe
        292⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676656.exe
        292⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676156.exe
        287⤵
        
        PID:4232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676234.exe
        288⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676250.exe
        288⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676265.exe
        289⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676312.exe
        289⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676343.exe
        290⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676390.exe
        290⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675859.exe
        285⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675875.exe
        286⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676109.exe
        286⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676187.exe
        287⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676328.exe
        287⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676375.exe
        288⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676500.exe
        288⤵
        
        PID:176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675718.exe
        283⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675750.exe
        284⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675765.exe
        284⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676015.exe
        285⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676062.exe
        285⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676218.exe
        286⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676453.exe
        286⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675578.exe
        281⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675593.exe
        282⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675609.exe
        282⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675640.exe
        283⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675656.exe
        283⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675812.exe
        284⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675890.exe
        284⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675484.exe
        279⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675046.exe
        274⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675078.exe
        275⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        276⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675406.exe
        277⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675453.exe
        277⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675500.exe
        278⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675515.exe
        278⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675546.exe
        279⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675671.exe
        279⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675734.exe
        280⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675796.exe
        280⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675093.exe
        275⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675109.exe
        276⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675218.exe
        276⤵
        
        PID:1876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675296.exe
        277⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675312.exe
        277⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682390.exe
        277⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674765.exe
        272⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674796.exe
        273⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674812.exe
        273⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673875.exe
        268⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673890.exe
        269⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673937.exe
        269⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673328.exe
        264⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673375.exe
        265⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673437.exe
        265⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673468.exe
        266⤵
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673609.exe
        266⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673656.exe
        267⤵
        Checks computer location settings
        
        PID:2968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        268⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673843.exe
        269⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673921.exe
        269⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673968.exe
        270⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2252
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        271⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674375.exe
        272⤵
        Drops file in System32 directory
        
        PID:3392
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        273⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674687.exe
        274⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674718.exe
        274⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674750.exe
        275⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674781.exe
        275⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674937.exe
        276⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674984.exe
        276⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675015.exe
        277⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675031.exe
        277⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674453.exe
        272⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674515.exe
        273⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674531.exe
        273⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674593.exe
        274⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674656.exe
        274⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674671.exe
        275⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674703.exe
        275⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674015.exe
        270⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674062.exe
        271⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674390.exe
        271⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674421.exe
        272⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674484.exe
        272⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673734.exe
        267⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673203.exe
        262⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673234.exe
        263⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673250.exe
        263⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673312.exe
        264⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673343.exe
        264⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673390.exe
        265⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673421.exe
        265⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680937.exe
        265⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672500.exe
        256⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672593.exe
        257⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672625.exe
        257⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672765.exe
        258⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672812.exe
        259⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672843.exe
        259⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672703.exe
        258⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672156.exe
        254⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672265.exe
        255⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672296.exe
        255⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671703.exe
        250⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671062.exe
        245⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670265.exe
        240⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669750.exe
        235⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669781.exe
        236⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669828.exe
        236⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669875.exe
        237⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669890.exe
        237⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669921.exe
        238⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669937.exe
        238⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669515.exe
        233⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669546.exe
        234⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669562.exe
        234⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669265.exe
        230⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669296.exe
        231⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669312.exe
        231⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669375.exe
        232⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669421.exe
        232⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669046.exe
        228⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669078.exe
        229⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669093.exe
        229⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669156.exe
        230⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669171.exe
        230⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668406.exe
        226⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668468.exe
        227⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668875.exe
        227⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668921.exe
        228⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668953.exe
        228⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668187.exe
        224⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668203.exe
        225⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668234.exe
        225⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668265.exe
        226⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668281.exe
        226⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667953.exe
        222⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667984.exe
        223⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668000.exe
        223⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668046.exe
        224⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668062.exe
        224⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667765.exe
        220⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667812.exe
        221⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667828.exe
        221⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667859.exe
        222⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667890.exe
        222⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667562.exe
        218⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667125.exe
        214⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667171.exe
        215⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667250.exe
        215⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667281.exe
        216⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667375.exe
        216⤵
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666843.exe
        212⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666484.exe
        208⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666515.exe
        209⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666562.exe
        209⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666640.exe
        210⤵
        Modifies registry class
        
        PID:212
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        211⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666828.exe
        212⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666875.exe
        212⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667000.exe
        213⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667015.exe
        213⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667062.exe
        214⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667078.exe
        214⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666656.exe
        210⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666031.exe
        204⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666062.exe
        205⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666156.exe
        205⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665828.exe
        202⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665859.exe
        203⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666046.exe
        203⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665484.exe
        200⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665531.exe
        201⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665562.exe
        201⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665328.exe
        198⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665359.exe
        199⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665421.exe
        199⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665171.exe
        196⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665218.exe
        197⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665234.exe
        197⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658781.exe
        194⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651328.exe
        191⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653750.exe
        192⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658750.exe
        192⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647203.exe
        189⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647265.exe
        190⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647281.exe
        190⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646906.exe
        187⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646984.exe
        188⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647000.exe
        188⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646687.exe
        185⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646765.exe
        186⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646828.exe
        186⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646421.exe
        183⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646484.exe
        184⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646578.exe
        184⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646109.exe
        181⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645468.exe
        178⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645687.exe
        179⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3168
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        180⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646093.exe
        181⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646125.exe
        181⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646218.exe
        182⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646250.exe
        182⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645859.exe
        179⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645015.exe
        176⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645218.exe
        177⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645359.exe
        177⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644484.exe
        174⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644843.exe
        175⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645171.exe
        175⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643921.exe
        172⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644390.exe
        173⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644531.exe
        173⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643281.exe
        170⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642140.exe
        167⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642921.exe
        168⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643390.exe
        168⤵
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641671.exe
        165⤵
        
        PID:1180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642109.exe
        166⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642796.exe
        166⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680906.exe
        166⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680953.exe
        166⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641203.exe
        163⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641343.exe
        164⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641734.exe
        164⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640734.exe
        161⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641328.exe
        162⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641718.exe
        162⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638984.exe
        159⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632734.exe
        157⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611046.exe
        155⤵
        
        PID:1524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610828.exe
        153⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610593.exe
        151⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609500.exe
        149⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609328.exe
        147⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609125.exe
        145⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607718.exe
        143⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607515.exe
        141⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607312.exe
        139⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605765.exe
        137⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605515.exe
        135⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605343.exe
        133⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604203.exe
        131⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604015.exe
        129⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603468.exe
        127⤵
        
        PID:3960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603250.exe
        125⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603000.exe
        123⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601718.exe
        121⤵
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601421.exe
        119⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601062.exe
        117⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600750.exe
        115⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600343.exe
        113⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600109.exe
        111⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599859.exe
        109⤵
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599640.exe
        107⤵
        
        PID:2044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599265.exe
        105⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599015.exe
        103⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598750.exe
        101⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598437.exe
        99⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598156.exe
        97⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597828.exe
        95⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597593.exe
        93⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597375.exe
        91⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597046.exe
        89⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596796.exe
        87⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596515.exe
        85⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596250.exe
        83⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595968.exe
        81⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595765.exe
        79⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595515.exe
        77⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595203.exe
        75⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594859.exe
        73⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592859.exe
        71⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240592218.exe
        69⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591968.exe
        67⤵
        
        PID:724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591750.exe
        65⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591250.exe
        63⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240591031.exe
        61⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240580734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240580734.exe
        59⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240579890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240579890.exe
        55⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240579734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240579734.exe
        53⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240578984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240578984.exe
        51⤵
        
        PID:444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240578750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240578750.exe
        49⤵
        
        PID:2576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240578546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240578546.exe
        47⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240577953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240577953.exe
        45⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240577687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240577687.exe
        43⤵
        Executes dropped EXE
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240575875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240575875.exe
        41⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240561062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240561062.exe
        39⤵
        Executes dropped EXE
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560859.exe
        37⤵
        Executes dropped EXE
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560671.exe
        35⤵
        Executes dropped EXE
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560390.exe
        33⤵
        Executes dropped EXE
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240560140.exe
        31⤵
        Executes dropped EXE
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559828.exe
        29⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240559578.exe
        27⤵
        Executes dropped EXE
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558984.exe
        25⤵
        Executes dropped EXE
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558687.exe
        23⤵
        Executes dropped EXE
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558359.exe
        21⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240558046.exe
        19⤵
        Executes dropped EXE
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557703.exe
        17⤵
        Executes dropped EXE
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240557203.exe
        15⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556828.exe
        13⤵
        Executes dropped EXE
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556578.exe
        11⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240556234.exe
        9⤵
        Executes dropped EXE
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555875.exe
        7⤵
        Executes dropped EXE
        
        PID:4796
    - - C:\Users\Admin\AppData\Local\Temp\tmp240555515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240555515.exe
        5⤵
        Executes dropped EXE
        
        PID:4512
- - C:\Users\Admin\AppData\Local\Temp\tmp240555171.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240555171.exe
    3⤵
    - Executes dropped EXE
    PID:4432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240555140.exe

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240555140.exe

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240555171.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240555453.exe

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240555453.exe

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240555515.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240555796.exe

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240555796.exe

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240555875.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240556203.exe

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240556203.exe

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240556234.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240556515.exe

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240556515.exe

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240556578.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240556781.exe

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240556781.exe

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240556828.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240557140.exe

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240557140.exe

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240557203.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240557671.exe

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240557671.exe

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240557703.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240558015.exe

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240558015.exe

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240558046.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240558328.exe

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240558328.exe

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240558359.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240558640.exe

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240558640.exe

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
368KB

MD5
043316ad86cdf1acab1eef2e6f10ac53

SHA1
2e5d324b72f6c4d35b33a1e64b726a32d1d15739

SHA256
0246e497293ced9cae1cfd6809a7d4e6a9d9980d365e3c6769c60e00c4f0a110

SHA512
92c4a386f3cd683ef181e9d420edd43878aa10e7c8bdedff75b2c8a5b8828b6bae8e75f6aae4f834a41a0514cde448ec17cf5d53afafbfc28acc3fadadbc3ab1

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
541KB

MD5
a9c6d030fbbecc23daefadbf6104768d

SHA1
d71ceda35ee93fc16d6a4a77ace4beb617aa0982

SHA256
f35bb6299b9b8016f83a5f2404215ee8dfcbfae0d5ec2afbcf16982a084b140a

SHA512
d90cabad84c33f00935dd26ad89f15452b1e307ce04e9f99ba9ef309374f6441172704815c571c8fcd2b5e90d04b0cd58f7415ab0007df0d5d2be4d8b06b4e2e

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
541KB

MD5
a9c6d030fbbecc23daefadbf6104768d

SHA1
d71ceda35ee93fc16d6a4a77ace4beb617aa0982

SHA256
f35bb6299b9b8016f83a5f2404215ee8dfcbfae0d5ec2afbcf16982a084b140a

SHA512
d90cabad84c33f00935dd26ad89f15452b1e307ce04e9f99ba9ef309374f6441172704815c571c8fcd2b5e90d04b0cd58f7415ab0007df0d5d2be4d8b06b4e2e

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
541KB

MD5
a9c6d030fbbecc23daefadbf6104768d

SHA1
d71ceda35ee93fc16d6a4a77ace4beb617aa0982

SHA256
f35bb6299b9b8016f83a5f2404215ee8dfcbfae0d5ec2afbcf16982a084b140a

SHA512
d90cabad84c33f00935dd26ad89f15452b1e307ce04e9f99ba9ef309374f6441172704815c571c8fcd2b5e90d04b0cd58f7415ab0007df0d5d2be4d8b06b4e2e

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
541KB

MD5
a9c6d030fbbecc23daefadbf6104768d

SHA1
d71ceda35ee93fc16d6a4a77ace4beb617aa0982

SHA256
f35bb6299b9b8016f83a5f2404215ee8dfcbfae0d5ec2afbcf16982a084b140a

SHA512
d90cabad84c33f00935dd26ad89f15452b1e307ce04e9f99ba9ef309374f6441172704815c571c8fcd2b5e90d04b0cd58f7415ab0007df0d5d2be4d8b06b4e2e

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
541KB

MD5
a9c6d030fbbecc23daefadbf6104768d

SHA1
d71ceda35ee93fc16d6a4a77ace4beb617aa0982

SHA256
f35bb6299b9b8016f83a5f2404215ee8dfcbfae0d5ec2afbcf16982a084b140a

SHA512
d90cabad84c33f00935dd26ad89f15452b1e307ce04e9f99ba9ef309374f6441172704815c571c8fcd2b5e90d04b0cd58f7415ab0007df0d5d2be4d8b06b4e2e

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
541KB

MD5
a9c6d030fbbecc23daefadbf6104768d

SHA1
d71ceda35ee93fc16d6a4a77ace4beb617aa0982

SHA256
f35bb6299b9b8016f83a5f2404215ee8dfcbfae0d5ec2afbcf16982a084b140a

SHA512
d90cabad84c33f00935dd26ad89f15452b1e307ce04e9f99ba9ef309374f6441172704815c571c8fcd2b5e90d04b0cd58f7415ab0007df0d5d2be4d8b06b4e2e

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
541KB

MD5
a9c6d030fbbecc23daefadbf6104768d

SHA1
d71ceda35ee93fc16d6a4a77ace4beb617aa0982

SHA256
f35bb6299b9b8016f83a5f2404215ee8dfcbfae0d5ec2afbcf16982a084b140a

SHA512
d90cabad84c33f00935dd26ad89f15452b1e307ce04e9f99ba9ef309374f6441172704815c571c8fcd2b5e90d04b0cd58f7415ab0007df0d5d2be4d8b06b4e2e

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
541KB

MD5
a9c6d030fbbecc23daefadbf6104768d

SHA1
d71ceda35ee93fc16d6a4a77ace4beb617aa0982

SHA256
f35bb6299b9b8016f83a5f2404215ee8dfcbfae0d5ec2afbcf16982a084b140a

SHA512
d90cabad84c33f00935dd26ad89f15452b1e307ce04e9f99ba9ef309374f6441172704815c571c8fcd2b5e90d04b0cd58f7415ab0007df0d5d2be4d8b06b4e2e

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
541KB

MD5
a9c6d030fbbecc23daefadbf6104768d

SHA1
d71ceda35ee93fc16d6a4a77ace4beb617aa0982

SHA256
f35bb6299b9b8016f83a5f2404215ee8dfcbfae0d5ec2afbcf16982a084b140a

SHA512
d90cabad84c33f00935dd26ad89f15452b1e307ce04e9f99ba9ef309374f6441172704815c571c8fcd2b5e90d04b0cd58f7415ab0007df0d5d2be4d8b06b4e2e

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
541KB

MD5
a9c6d030fbbecc23daefadbf6104768d

SHA1
d71ceda35ee93fc16d6a4a77ace4beb617aa0982

SHA256
f35bb6299b9b8016f83a5f2404215ee8dfcbfae0d5ec2afbcf16982a084b140a

SHA512
d90cabad84c33f00935dd26ad89f15452b1e307ce04e9f99ba9ef309374f6441172704815c571c8fcd2b5e90d04b0cd58f7415ab0007df0d5d2be4d8b06b4e2e

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
541KB

MD5
a9c6d030fbbecc23daefadbf6104768d

SHA1
d71ceda35ee93fc16d6a4a77ace4beb617aa0982

SHA256
f35bb6299b9b8016f83a5f2404215ee8dfcbfae0d5ec2afbcf16982a084b140a

SHA512
d90cabad84c33f00935dd26ad89f15452b1e307ce04e9f99ba9ef309374f6441172704815c571c8fcd2b5e90d04b0cd58f7415ab0007df0d5d2be4d8b06b4e2e

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
541KB

MD5
a9c6d030fbbecc23daefadbf6104768d

SHA1
d71ceda35ee93fc16d6a4a77ace4beb617aa0982

SHA256
f35bb6299b9b8016f83a5f2404215ee8dfcbfae0d5ec2afbcf16982a084b140a

SHA512
d90cabad84c33f00935dd26ad89f15452b1e307ce04e9f99ba9ef309374f6441172704815c571c8fcd2b5e90d04b0cd58f7415ab0007df0d5d2be4d8b06b4e2e

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
memory/204-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/368-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/460-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/676-240-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1316-203-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1316-200-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1408-152-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1580-162-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1740-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1840-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2224-266-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2312-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2312-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2328-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2584-270-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2596-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2596-284-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2624-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2636-244-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2636-248-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2692-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3080-192-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3164-262-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3180-254-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3284-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3396-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3428-245-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3428-250-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3468-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3700-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3816-303-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3836-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3916-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3916-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3940-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3940-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3972-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4068-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4068-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4112-233-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4228-213-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4232-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4252-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4312-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4312-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4324-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4324-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4352-279-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4352-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4352-283-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4352-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4360-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4368-182-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4372-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4512-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4568-223-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4700-258-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4700-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4724-172-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4848-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4880-288-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4880-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4968-142-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5088-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download