f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

Analysis

max time kernel
109s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5.exe
Size

1.2MB
MD5

32773553d7da8e443020d96b44ce976b
SHA1

8b9ea5dc13c096984d9b83c226b55dce38496e7c
SHA256

f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5
SHA512

e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93
SSDEEP

12288:bdPePldPZdPnsH5utjoPhdPZdPXPldPZdPePldPZdPnsH5utj8PhdPZdPXPldPZK:csH5utjFsH5utjJsH5utj

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
452	notpad.exe
3076	tmp240587281.exe
4508	tmp240587375.exe
1904	notpad.exe
4568	tmp240587765.exe
4988	tmp240587890.exe
340	notpad.exe
4400	tmp240588312.exe
3412	tmp240588406.exe
3264	notpad.exe
3692	tmp240588859.exe
3968	tmp240588937.exe
2524	notpad.exe
1580	tmp240589328.exe
1236	tmp240589421.exe
3548	notpad.exe
3336	tmp240589781.exe
3500	tmp240589921.exe
372	notpad.exe
3112	tmp240590328.exe
3120	tmp240590375.exe
4492	notpad.exe
2256	tmp240590718.exe
2492	tmp240593078.exe
4432	notpad.exe
4308	tmp240593421.exe
3260	tmp240593484.exe
1148	notpad.exe
4348	tmp240593921.exe
1104	tmp240594015.exe
1956	notpad.exe
2004	tmp240594468.exe
4588	tmp240594531.exe
4916	notpad.exe
2868	tmp240595000.exe
2788	tmp240595046.exe
1908	notpad.exe
4016	tmp240595296.exe
2688	tmp240595343.exe
2348	notpad.exe
3680	tmp240595578.exe
3492	tmp240595640.exe
1092	notpad.exe
3508	tmp240595968.exe
4356	tmp240596000.exe
4092	notpad.exe
4064	tmp240596218.exe
3684	tmp240596265.exe
3412	notpad.exe
1648	tmp240596500.exe
4400	tmp240596531.exe
2380	notpad.exe
3968	tmp240596859.exe
4808	tmp240596937.exe
3232	notpad.exe
812	tmp240597234.exe
4576	tmp240597281.exe
4296	notpad.exe
3664	tmp240597500.exe
3860	tmp240597546.exe
4604	notpad.exe
1400	tmp240597796.exe
3336	tmp240597906.exe
2860	notpad.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0005000000022e00-133.dat	upx
behavioral2/files/0x0005000000022e00-134.dat	upx
behavioral2/memory/452-138-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/452-143-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022def-139.dat	upx
behavioral2/files/0x0005000000022e00-145.dat	upx
behavioral2/memory/1904-153-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022def-149.dat	upx
behavioral2/files/0x0005000000022e00-155.dat	upx
behavioral2/memory/340-162-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/340-164-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022def-159.dat	upx
behavioral2/files/0x0005000000022e00-166.dat	upx
behavioral2/files/0x0003000000022def-171.dat	upx
behavioral2/memory/3264-174-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0005000000022e00-176.dat	upx
behavioral2/memory/2524-184-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022def-181.dat	upx
behavioral2/files/0x0005000000022e00-186.dat	upx
behavioral2/memory/3548-194-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022def-191.dat	upx
behavioral2/files/0x0005000000022e00-196.dat	upx
behavioral2/memory/372-204-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022def-201.dat	upx
behavioral2/files/0x0005000000022e00-206.dat	upx
behavioral2/memory/4492-207-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4492-215-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022def-212.dat	upx
behavioral2/files/0x0005000000022e00-217.dat	upx
behavioral2/memory/4432-225-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022def-221.dat	upx
behavioral2/files/0x0005000000022e00-227.dat	upx
behavioral2/memory/1148-235-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0003000000022def-232.dat	upx
behavioral2/files/0x0005000000022e00-237.dat	upx
behavioral2/memory/1956-242-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4916-246-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1908-250-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2348-254-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1092-258-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4092-262-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3412-266-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2380-268-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2380-271-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3232-275-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4296-279-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4604-282-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4604-284-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2860-286-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2700-287-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1168-288-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4312-289-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3948-290-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1148-291-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4544-292-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3868-293-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3868-294-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1908-295-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1536-296-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1380-297-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/840-298-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/840-299-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2188-300-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3968-301-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240657468.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240655593.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240609609.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240621453.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240601125.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240611984.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240617890.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240593921.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240595296.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240595578.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240610890.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240611218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240618703.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240622578.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240640375.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240653234.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240587765.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240605640.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240599687.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240610187.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240612359.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240614359.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240652500.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240656421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240595000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240596218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240588312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240610484.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240612531.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240631015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240638281.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240595968.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240599328.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240609203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240628015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240628406.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240642359.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240607531.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240627406.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240644093.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240672500.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240601390.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240611640.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240671640.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240598140.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240619281.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240590328.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240599015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240603328.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240612953.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240613703.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240618234.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240587281.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240589328.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240627687.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240631562.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240639187.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240644625.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240654921.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240622093.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240626359.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	tmp240641890.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notpad.exe	tmp240671640.exe
File created	C:\Windows\SysWOW64\notpad.exe	Process not Found
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240619281.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240605203.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240618234.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240629093.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240595968.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240595578.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240603609.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240603906.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240607531.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240657343.exe
File created	C:\Windows\SysWOW64\notpad.exe-	Process not Found
File created	C:\Windows\SysWOW64\notpad.exe	tmp240587765.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240600562.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240606000.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240607062.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240617890.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240631453.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240653234.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	Process not Found
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240595000.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240593921.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240600828.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240614218.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240622953.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240628406.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240641468.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240589781.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240589328.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240590718.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240600328.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240642750.exe
File created	C:\Windows\SysWOW64\fsb.tmp	f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240596859.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240599328.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240602687.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240603062.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240608593.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240614359.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240629906.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240589328.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240626875.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240638281.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240640984.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240610484.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240603328.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240609875.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240598140.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240596218.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240596500.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240620796.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240631015.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240639187.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240643531.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240595578.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240603328.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240611640.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240620078.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240621062.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240641468.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240596859.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240601984.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240601984.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240595296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240595578.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240596500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240654171.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240618234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240621765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240629484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240642750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240672500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240597234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240597796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240643531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240601390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240602250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240606375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240589781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240600562.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240607062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240612531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240596218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240612359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240638281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240603062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240610484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240589328.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240602453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240611984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240617484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240600031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240601687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240619281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240640984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240598140.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240614218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240628015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240631453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240638734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240653234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240656421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	Process not Found
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240603609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240617890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240630750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240631562.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240641890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240601125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240609875.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240620078.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240593421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240595000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240626359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240588312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240588859.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240599328.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240606000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240629093.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240632156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240599015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240612953.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240639187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240639562.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 452	4396	f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5.exe	83
PID 4396 wrote to memory of 452	4396	f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5.exe	83
PID 4396 wrote to memory of 452	4396	f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5.exe	83
PID 452 wrote to memory of 3076	452	notpad.exe	84
PID 452 wrote to memory of 3076	452	notpad.exe	84
PID 452 wrote to memory of 3076	452	notpad.exe	84
PID 452 wrote to memory of 4508	452	notpad.exe	85
PID 452 wrote to memory of 4508	452	notpad.exe	85
PID 452 wrote to memory of 4508	452	notpad.exe	85
PID 3076 wrote to memory of 1904	3076	tmp240587281.exe	86
PID 3076 wrote to memory of 1904	3076	tmp240587281.exe	86
PID 3076 wrote to memory of 1904	3076	tmp240587281.exe	86
PID 1904 wrote to memory of 4568	1904	notpad.exe	87
PID 1904 wrote to memory of 4568	1904	notpad.exe	87
PID 1904 wrote to memory of 4568	1904	notpad.exe	87
PID 1904 wrote to memory of 4988	1904	notpad.exe	89
PID 1904 wrote to memory of 4988	1904	notpad.exe	89
PID 1904 wrote to memory of 4988	1904	notpad.exe	89
PID 4568 wrote to memory of 340	4568	tmp240587765.exe	88
PID 4568 wrote to memory of 340	4568	tmp240587765.exe	88
PID 4568 wrote to memory of 340	4568	tmp240587765.exe	88
PID 340 wrote to memory of 4400	340	notpad.exe	90
PID 340 wrote to memory of 4400	340	notpad.exe	90
PID 340 wrote to memory of 4400	340	notpad.exe	90
PID 340 wrote to memory of 3412	340	notpad.exe	91
PID 340 wrote to memory of 3412	340	notpad.exe	91
PID 340 wrote to memory of 3412	340	notpad.exe	91
PID 4400 wrote to memory of 3264	4400	tmp240588312.exe	92
PID 4400 wrote to memory of 3264	4400	tmp240588312.exe	92
PID 4400 wrote to memory of 3264	4400	tmp240588312.exe	92
PID 3264 wrote to memory of 3692	3264	notpad.exe	93
PID 3264 wrote to memory of 3692	3264	notpad.exe	93
PID 3264 wrote to memory of 3692	3264	notpad.exe	93
PID 3264 wrote to memory of 3968	3264	notpad.exe	94
PID 3264 wrote to memory of 3968	3264	notpad.exe	94
PID 3264 wrote to memory of 3968	3264	notpad.exe	94
PID 3692 wrote to memory of 2524	3692	tmp240588859.exe	95
PID 3692 wrote to memory of 2524	3692	tmp240588859.exe	95
PID 3692 wrote to memory of 2524	3692	tmp240588859.exe	95
PID 2524 wrote to memory of 1580	2524	notpad.exe	96
PID 2524 wrote to memory of 1580	2524	notpad.exe	96
PID 2524 wrote to memory of 1580	2524	notpad.exe	96
PID 2524 wrote to memory of 1236	2524	notpad.exe	97
PID 2524 wrote to memory of 1236	2524	notpad.exe	97
PID 2524 wrote to memory of 1236	2524	notpad.exe	97
PID 1580 wrote to memory of 3548	1580	tmp240589328.exe	98
PID 1580 wrote to memory of 3548	1580	tmp240589328.exe	98
PID 1580 wrote to memory of 3548	1580	tmp240589328.exe	98
PID 3548 wrote to memory of 3336	3548	notpad.exe	99
PID 3548 wrote to memory of 3336	3548	notpad.exe	99
PID 3548 wrote to memory of 3336	3548	notpad.exe	99
PID 3548 wrote to memory of 3500	3548	notpad.exe	100
PID 3548 wrote to memory of 3500	3548	notpad.exe	100
PID 3548 wrote to memory of 3500	3548	notpad.exe	100
PID 3336 wrote to memory of 372	3336	tmp240589781.exe	101
PID 3336 wrote to memory of 372	3336	tmp240589781.exe	101
PID 3336 wrote to memory of 372	3336	tmp240589781.exe	101
PID 372 wrote to memory of 3112	372	notpad.exe	102
PID 372 wrote to memory of 3112	372	notpad.exe	102
PID 372 wrote to memory of 3112	372	notpad.exe	102
PID 372 wrote to memory of 3120	372	notpad.exe	104
PID 372 wrote to memory of 3120	372	notpad.exe	104
PID 372 wrote to memory of 3120	372	notpad.exe	104
PID 3112 wrote to memory of 4492	3112	tmp240590328.exe	103

C:\Users\Admin\AppData\Local\Temp\f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5.exe
"C:\Users\Admin\AppData\Local\Temp\f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5.exe"
1⤵
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4396
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Users\Admin\AppData\Local\Temp\tmp240587281.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240587281.exe
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:3076
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1904
    - - C:\Users\Admin\AppData\Local\Temp\tmp240587765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587765.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:4568
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588312.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588859.exe
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3692
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589328.exe
        11⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589781.exe
        13⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3336
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590328.exe
        15⤵
        Executes dropped EXE
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3112
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        Executes dropped EXE
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590718.exe
        17⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2256
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        Executes dropped EXE
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593421.exe
        19⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4308
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        Executes dropped EXE
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593921.exe
        21⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4348
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        Executes dropped EXE
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594468.exe
        23⤵
        Executes dropped EXE
        
        PID:2004
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        Executes dropped EXE
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595000.exe
        25⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        Executes dropped EXE
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595296.exe
        27⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:4016
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595578.exe
        29⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3680
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        Executes dropped EXE
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595968.exe
        31⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3508
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        Executes dropped EXE
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596218.exe
        33⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        Executes dropped EXE
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596500.exe
        35⤵
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1648
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        Executes dropped EXE
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596859.exe
        37⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        38⤵
        Executes dropped EXE
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597234.exe
        39⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        40⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597500.exe
        41⤵
        Executes dropped EXE
        
        PID:3664
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        Executes dropped EXE
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597796.exe
        43⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:1400
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        44⤵
        Executes dropped EXE
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598140.exe
        45⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:952
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        46⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599015.exe
        47⤵
        Checks computer location settings
        Modifies registry class
        
        PID:844
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        48⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599328.exe
        49⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1696
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        50⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599687.exe
        51⤵
        Checks computer location settings
        
        PID:548
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        52⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600031.exe
        53⤵
        Modifies registry class
        
        PID:3520
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600328.exe
        55⤵
        Drops file in System32 directory
        
        PID:2804
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        56⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600562.exe
        57⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600828.exe
        59⤵
        Drops file in System32 directory
        
        PID:4648
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        60⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601125.exe
        61⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3876
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        62⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601390.exe
        63⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2952
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        64⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601687.exe
        65⤵
        Modifies registry class
        
        PID:5076
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        66⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601984.exe
        67⤵
        Drops file in System32 directory
        
        PID:3412
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        68⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602250.exe
        69⤵
        Modifies registry class
        
        PID:4392
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        70⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602453.exe
        71⤵
        Modifies registry class
        
        PID:4640
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        72⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602687.exe
        73⤵
        Drops file in System32 directory
        
        PID:1184
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        74⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603062.exe
        75⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5088
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        76⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603328.exe
        77⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4332
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        78⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603609.exe
        79⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:364
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        80⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603906.exe
        81⤵
        Drops file in System32 directory
        
        PID:1072
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        82⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605203.exe
        83⤵
        Drops file in System32 directory
        
        PID:4368
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        84⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605796.exe
        85⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605843.exe
        85⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606000.exe
        86⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5032
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        87⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606375.exe
        88⤵
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        89⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607109.exe
        90⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607281.exe
        90⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607750.exe
        91⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607921.exe
        91⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606796.exe
        88⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607062.exe
        89⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3076
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        90⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607531.exe
        91⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2400
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        92⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608171.exe
        93⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        94⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608593.exe
        95⤵
        Drops file in System32 directory
        
        PID:1472
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        96⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609250.exe
        97⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609390.exe
        97⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609687.exe
        98⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609828.exe
        98⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608937.exe
        95⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609203.exe
        96⤵
        Checks computer location settings
        
        PID:1532
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        97⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609609.exe
        98⤵
        Checks computer location settings
        
        PID:4120
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        99⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609968.exe
        100⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610046.exe
        100⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610078.exe
        101⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610109.exe
        101⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609703.exe
        98⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609875.exe
        99⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        100⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610187.exe
        101⤵
        Checks computer location settings
        
        PID:3172
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        102⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610484.exe
        103⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1644
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        104⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610890.exe
        105⤵
        Checks computer location settings
        
        PID:3140
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        106⤵
        
        PID:204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611218.exe
        107⤵
        Checks computer location settings
        
        PID:3552
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        108⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611562.exe
        109⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611593.exe
        109⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611640.exe
        110⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4836
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        111⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611984.exe
        112⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3380
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        113⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612359.exe
        114⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3160
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        115⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612640.exe
        116⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612734.exe
        116⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612828.exe
        117⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612890.exe
        117⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613078.exe
        118⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613187.exe
        118⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613234.exe
        119⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613312.exe
        119⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612375.exe
        114⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612531.exe
        115⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4708
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        116⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612953.exe
        117⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        118⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613359.exe
        119⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        120⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613703.exe
        121⤵
        Checks computer location settings
        
        PID:4280
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        122⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614218.exe
        123⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3780
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        124⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614578.exe
        125⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617218.exe
        125⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617484.exe
        126⤵
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        127⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617890.exe
        128⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1552
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        129⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618265.exe
        130⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618406.exe
        130⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618546.exe
        131⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618640.exe
        131⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618703.exe
        132⤵
        Checks computer location settings
        
        PID:2240
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        133⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619015.exe
        134⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619046.exe
        134⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619281.exe
        135⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1956
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        136⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619750.exe
        137⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        138⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620078.exe
        139⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3304
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        140⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620437.exe
        141⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        142⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620734.exe
        143⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620875.exe
        144⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620906.exe
        145⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620921.exe
        145⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620968.exe
        146⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620984.exe
        146⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620796.exe
        144⤵
        Drops file in System32 directory
        
        PID:3232
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        145⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621062.exe
        146⤵
        Drops file in System32 directory
        
        PID:4340
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        147⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621453.exe
        148⤵
        Checks computer location settings
        
        PID:1512
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        149⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621765.exe
        150⤵
        Modifies registry class
        
        PID:1376
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        151⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622187.exe
        152⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622203.exe
        152⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622281.exe
        153⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622390.exe
        153⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622578.exe
        154⤵
        Checks computer location settings
        
        PID:5116
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        155⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622953.exe
        156⤵
        Drops file in System32 directory
        
        PID:4092
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        157⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626359.exe
        158⤵
        Checks computer location settings
        Modifies registry class
        
        PID:840
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        159⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626875.exe
        160⤵
        Drops file in System32 directory
        
        PID:3112
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        161⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627453.exe
        162⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627515.exe
        162⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627625.exe
        163⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627656.exe
        163⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627718.exe
        164⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627796.exe
        164⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627890.exe
        165⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627906.exe
        165⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627937.exe
        166⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627953.exe
        166⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626906.exe
        160⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627156.exe
        161⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627234.exe
        162⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627250.exe
        162⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627343.exe
        163⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627359.exe
        163⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627406.exe
        164⤵
        Checks computer location settings
        
        PID:3896
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        165⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627687.exe
        166⤵
        Checks computer location settings
        
        PID:3988
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        167⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628015.exe
        168⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3404
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        169⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628406.exe
        170⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4668
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        171⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628781.exe
        172⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628812.exe
        172⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628953.exe
        173⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628984.exe
        173⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629015.exe
        174⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629031.exe
        174⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629093.exe
        175⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:812
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        176⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629500.exe
        177⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629546.exe
        177⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629625.exe
        178⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629640.exe
        178⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629734.exe
        179⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640640.exe
        180⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640656.exe
        180⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640796.exe
        181⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640828.exe
        181⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629750.exe
        179⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629796.exe
        180⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629828.exe
        180⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629937.exe
        181⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630015.exe
        182⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630000.exe
        182⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629906.exe
        181⤵
        Drops file in System32 directory
        
        PID:3112
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        182⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630281.exe
        183⤵
        
        PID:844
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        184⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630750.exe
        185⤵
        Modifies registry class
        
        PID:3824
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        186⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631015.exe
        187⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4088
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        188⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631453.exe
        189⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631500.exe
        189⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631578.exe
        190⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631609.exe
        190⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631765.exe
        191⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631828.exe
        191⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631906.exe
        192⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640437.exe
        193⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631921.exe
        192⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631953.exe
        193⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631968.exe
        193⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632015.exe
        194⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632031.exe
        194⤵
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631046.exe
        187⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631187.exe
        188⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631265.exe
        188⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631343.exe
        189⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631359.exe
        189⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631437.exe
        190⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631484.exe
        190⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631562.exe
        191⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3708
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        192⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632062.exe
        193⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632109.exe
        193⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632156.exe
        194⤵
        Modifies registry class
        
        PID:2112
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        195⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638281.exe
        196⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2376
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        197⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638734.exe
        198⤵
        Modifies registry class
        
        PID:740
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        199⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639187.exe
        200⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        201⤵
        
        PID:204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639593.exe
        202⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639625.exe
        202⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639734.exe
        203⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639812.exe
        203⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639937.exe
        204⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640031.exe
        204⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640156.exe
        205⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640218.exe
        205⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640406.exe
        206⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640531.exe
        207⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640593.exe
        207⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640375.exe
        206⤵
        Checks computer location settings
        
        PID:3664
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        207⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641015.exe
        208⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641062.exe
        208⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641125.exe
        209⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641187.exe
        209⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641265.exe
        210⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641281.exe
        210⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641359.exe
        211⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641500.exe
        211⤵
        
        PID:3164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641656.exe
        212⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641812.exe
        212⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641859.exe
        213⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641875.exe
        213⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641921.exe
        214⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641937.exe
        214⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642031.exe
        215⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642078.exe
        216⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642156.exe
        216⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642015.exe
        215⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672546.exe
        204⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639234.exe
        200⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639406.exe
        201⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639437.exe
        201⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639562.exe
        202⤵
        Modifies registry class
        
        PID:1536
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        203⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640250.exe
        204⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640671.exe
        205⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640750.exe
        206⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640812.exe
        206⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640875.exe
        207⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640921.exe
        207⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640984.exe
        208⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        209⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641031.exe
        208⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641156.exe
        209⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641296.exe
        209⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641375.exe
        210⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641421.exe
        210⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641593.exe
        211⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641562.exe
        211⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643984.exe
        208⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644031.exe
        208⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644250.exe
        209⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644343.exe
        210⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644390.exe
        210⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644140.exe
        209⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639609.exe
        202⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639796.exe
        203⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639828.exe
        203⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639984.exe
        204⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640000.exe
        204⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640328.exe
        205⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640500.exe
        206⤵
        
        PID:1472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640203.exe
        205⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638750.exe
        198⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638843.exe
        199⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638875.exe
        199⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639015.exe
        200⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639031.exe
        200⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639109.exe
        201⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639171.exe
        201⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639296.exe
        202⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639359.exe
        202⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639421.exe
        203⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639500.exe
        203⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639890.exe
        204⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639921.exe
        204⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640093.exe
        205⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640015.exe
        205⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638359.exe
        196⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638468.exe
        197⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638500.exe
        197⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638593.exe
        198⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638625.exe
        198⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638781.exe
        199⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638859.exe
        199⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638953.exe
        200⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639046.exe
        200⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639125.exe
        201⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639203.exe
        201⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639312.exe
        202⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639484.exe
        202⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639671.exe
        203⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639578.exe
        203⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655265.exe
        203⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632171.exe
        194⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632218.exe
        195⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632265.exe
        195⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638062.exe
        196⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638078.exe
        196⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638140.exe
        197⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638203.exe
        197⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638312.exe
        198⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638421.exe
        198⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638484.exe
        199⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638531.exe
        199⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631625.exe
        191⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631781.exe
        192⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631812.exe
        192⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630796.exe
        185⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630859.exe
        186⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630953.exe
        186⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631000.exe
        187⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631031.exe
        187⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631093.exe
        188⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631140.exe
        188⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631234.exe
        189⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631250.exe
        189⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631375.exe
        190⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631390.exe
        190⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630343.exe
        183⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630437.exe
        184⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630500.exe
        184⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630625.exe
        185⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630656.exe
        185⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630703.exe
        186⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630718.exe
        186⤵
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630781.exe
        187⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630875.exe
        187⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630906.exe
        188⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630921.exe
        188⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651890.exe
        188⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651984.exe
        188⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652078.exe
        189⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652125.exe
        189⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652328.exe
        190⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652234.exe
        190⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655250.exe
        189⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629109.exe
        175⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629140.exe
        176⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629187.exe
        176⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629250.exe
        177⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629343.exe
        177⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640125.exe
        175⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628437.exe
        170⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628500.exe
        171⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628546.exe
        171⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628609.exe
        172⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628625.exe
        172⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628671.exe
        173⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628703.exe
        173⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628765.exe
        174⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        175⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629156.exe
        176⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629234.exe
        176⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629312.exe
        177⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629375.exe
        177⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629484.exe
        178⤵
        Modifies registry class
        
        PID:4772
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        179⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629921.exe
        180⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629984.exe
        180⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630140.exe
        181⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630156.exe
        181⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630203.exe
        182⤵
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630218.exe
        182⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630296.exe
        183⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630312.exe
        183⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630390.exe
        184⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630531.exe
        184⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630578.exe
        185⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630609.exe
        185⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629515.exe
        178⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629578.exe
        179⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629703.exe
        180⤵
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629765.exe
        180⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629843.exe
        181⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629859.exe
        181⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629562.exe
        179⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628843.exe
        174⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628875.exe
        175⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628921.exe
        175⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628046.exe
        168⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628078.exe
        169⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628125.exe
        169⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628218.exe
        170⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628234.exe
        170⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628312.exe
        171⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628343.exe
        171⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628390.exe
        172⤵
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628421.exe
        172⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627703.exe
        166⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627421.exe
        164⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627125.exe
        161⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626546.exe
        158⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626703.exe
        159⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626796.exe
        160⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626921.exe
        160⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627062.exe
        161⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627078.exe
        161⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627140.exe
        162⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627265.exe
        162⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625703.exe
        156⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625984.exe
        157⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626140.exe
        157⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626218.exe
        158⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626296.exe
        158⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626375.exe
        159⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626421.exe
        159⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626515.exe
        160⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626578.exe
        160⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622593.exe
        154⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625953.exe
        155⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625968.exe
        155⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626250.exe
        156⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626343.exe
        156⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621796.exe
        150⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621921.exe
        151⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621968.exe
        151⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622046.exe
        152⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622062.exe
        152⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622093.exe
        153⤵
        Checks computer location settings
        
        PID:3368
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        154⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622609.exe
        155⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625734.exe
        155⤵
        
        PID:3032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626125.exe
        156⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626234.exe
        156⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626406.exe
        157⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626437.exe
        157⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626500.exe
        158⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626562.exe
        158⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626656.exe
        159⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626734.exe
        159⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622234.exe
        153⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622265.exe
        154⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622328.exe
        154⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652343.exe
        155⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621484.exe
        148⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621546.exe
        149⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621593.exe
        149⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621640.exe
        150⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621656.exe
        150⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621687.exe
        151⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621718.exe
        151⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621781.exe
        152⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621812.exe
        152⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641703.exe
        151⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641718.exe
        151⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654484.exe
        152⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621078.exe
        146⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621140.exe
        147⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621296.exe
        147⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621343.exe
        148⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621359.exe
        148⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621390.exe
        149⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621421.exe
        149⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640609.exe
        146⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640718.exe
        146⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620703.exe
        143⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620515.exe
        141⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620562.exe
        142⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620578.exe
        142⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620609.exe
        143⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620640.exe
        143⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620687.exe
        144⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620718.exe
        144⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620109.exe
        139⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620156.exe
        140⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620218.exe
        140⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620343.exe
        141⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620390.exe
        141⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620421.exe
        142⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620468.exe
        142⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619796.exe
        137⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620015.exe
        138⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620046.exe
        138⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620093.exe
        139⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620140.exe
        139⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620312.exe
        140⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620203.exe
        140⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619328.exe
        135⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619375.exe
        136⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619406.exe
        136⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619468.exe
        137⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619484.exe
        137⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618718.exe
        132⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618734.exe
        133⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618781.exe
        133⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640484.exe
        129⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617968.exe
        128⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618109.exe
        129⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618156.exe
        129⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618390.exe
        130⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618437.exe
        130⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618531.exe
        131⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618593.exe
        131⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617531.exe
        126⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617687.exe
        127⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617812.exe
        127⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617937.exe
        128⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617953.exe
        128⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618187.exe
        129⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618093.exe
        129⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614265.exe
        123⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614359.exe
        124⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2980
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        125⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617500.exe
        126⤵
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617531.exe
        126⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617703.exe
        127⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617843.exe
        127⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618000.exe
        128⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618140.exe
        128⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618234.exe
        129⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3504
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        130⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618562.exe
        131⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618656.exe
        131⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618859.exe
        132⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618875.exe
        132⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618937.exe
        133⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618953.exe
        133⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619000.exe
        134⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        135⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619296.exe
        136⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619312.exe
        136⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619390.exe
        137⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619421.exe
        137⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619515.exe
        138⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619531.exe
        138⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619765.exe
        139⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619781.exe
        139⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642703.exe
        139⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642734.exe
        139⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642796.exe
        140⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642859.exe
        140⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642953.exe
        141⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643000.exe
        141⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643125.exe
        142⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643218.exe
        142⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643578.exe
        143⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643687.exe
        144⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643765.exe
        144⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643531.exe
        143⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4372
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        144⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644156.exe
        145⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644265.exe
        146⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644359.exe
        146⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644437.exe
        147⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644484.exe
        147⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644562.exe
        148⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644578.exe
        148⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644625.exe
        149⤵
        Checks computer location settings
        
        PID:4816
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        150⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645031.exe
        151⤵
        
        PID:844
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        152⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652500.exe
        153⤵
        Checks computer location settings
        
        PID:4208
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        154⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653234.exe
        155⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2456
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        156⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653796.exe
        157⤵
        
        PID:1072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653906.exe
        158⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653921.exe
        158⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654031.exe
        159⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654046.exe
        159⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654093.exe
        160⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654109.exe
        160⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654187.exe
        161⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654203.exe
        161⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654296.exe
        162⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654328.exe
        162⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654406.exe
        163⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654500.exe
        163⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654625.exe
        164⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654640.exe
        164⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654718.exe
        165⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654796.exe
        165⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654859.exe
        166⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654953.exe
        166⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655015.exe
        167⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655093.exe
        167⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653359.exe
        155⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652546.exe
        153⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652671.exe
        154⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652796.exe
        154⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652937.exe
        155⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652953.exe
        155⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653078.exe
        156⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653171.exe
        156⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653359.exe
        157⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653421.exe
        157⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653500.exe
        158⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653562.exe
        158⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653609.exe
        159⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653625.exe
        159⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653687.exe
        160⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653703.exe
        160⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653734.exe
        161⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        162⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654171.exe
        163⤵
        Modifies registry class
        
        PID:3912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        164⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654875.exe
        165⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654906.exe
        165⤵
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655046.exe
        166⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655109.exe
        166⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655296.exe
        167⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655437.exe
        168⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655484.exe
        168⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655625.exe
        169⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655703.exe
        169⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655890.exe
        170⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656000.exe
        170⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656140.exe
        171⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656187.exe
        171⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656281.exe
        172⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656343.exe
        172⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656437.exe
        173⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656546.exe
        174⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656781.exe
        174⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656890.exe
        175⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656843.exe
        175⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656421.exe
        173⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        174⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657375.exe
        175⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657468.exe
        175⤵
        Checks computer location settings
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657625.exe
        176⤵
        
        PID:808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654234.exe
        163⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654343.exe
        164⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654390.exe
        164⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654515.exe
        165⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654734.exe
        166⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654812.exe
        167⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654843.exe
        167⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654921.exe
        168⤵
        Checks computer location settings
        
        PID:1832
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        169⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655593.exe
        170⤵
        Checks computer location settings
        
        PID:208
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        171⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656328.exe
        172⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656359.exe
        172⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656515.exe
        173⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656531.exe
        173⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656921.exe
        174⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656968.exe
        174⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657062.exe
        175⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657125.exe
        175⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657203.exe
        176⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657265.exe
        176⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657359.exe
        177⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657531.exe
        177⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657781.exe
        178⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657671.exe
        178⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655656.exe
        170⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655828.exe
        171⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655984.exe
        171⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656171.exe
        172⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656203.exe
        172⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656390.exe
        173⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656750.exe
        174⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656812.exe
        174⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656953.exe
        175⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656984.exe
        175⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657093.exe
        176⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657250.exe
        176⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657343.exe
        177⤵
        Drops file in System32 directory
        
        PID:1072
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        178⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671140.exe
        179⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        180⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671656.exe
        181⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671765.exe
        181⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671890.exe
        182⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672000.exe
        182⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672093.exe
        183⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672140.exe
        183⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672234.exe
        184⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672281.exe
        184⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672375.exe
        185⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672406.exe
        185⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672500.exe
        186⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671171.exe
        179⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671390.exe
        180⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671437.exe
        180⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671531.exe
        181⤵
        
        PID:4240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671578.exe
        181⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671687.exe
        182⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671781.exe
        182⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671937.exe
        183⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672062.exe
        184⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672125.exe
        184⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672265.exe
        185⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672312.exe
        185⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671875.exe
        183⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657390.exe
        177⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657453.exe
        178⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657484.exe
        178⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657609.exe
        179⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657656.exe
        179⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657734.exe
        180⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657796.exe
        180⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657906.exe
        181⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657968.exe
        181⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656312.exe
        173⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654968.exe
        168⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655078.exe
        169⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655125.exe
        169⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655312.exe
        170⤵
        
        PID:1480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655515.exe
        171⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655546.exe
        171⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655640.exe
        172⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655687.exe
        172⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655875.exe
        173⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655937.exe
        173⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653765.exe
        161⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653812.exe
        162⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653828.exe
        162⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651390.exe
        151⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651640.exe
        152⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651781.exe
        152⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651875.exe
        153⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651968.exe
        153⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652203.exe
        154⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652406.exe
        155⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652515.exe
        156⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652578.exe
        156⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652750.exe
        157⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652843.exe
        157⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653000.exe
        158⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653031.exe
        158⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653125.exe
        159⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653140.exe
        159⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652171.exe
        154⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644656.exe
        149⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651734.exe
        150⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651812.exe
        150⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657890.exe
        148⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657953.exe
        148⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671046.exe
        149⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671109.exe
        149⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671187.exe
        150⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671343.exe
        150⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671515.exe
        151⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671562.exe
        151⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671640.exe
        152⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3108
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        153⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671703.exe
        152⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644109.exe
        145⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653750.exe
        144⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619031.exe
        134⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618312.exe
        129⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617109.exe
        124⤵
        
        PID:204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617265.exe
        125⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617406.exe
        125⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617468.exe
        126⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617609.exe
        126⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613828.exe
        121⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614109.exe
        122⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614156.exe
        122⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614250.exe
        123⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614296.exe
        123⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614562.exe
        124⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617140.exe
        124⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613375.exe
        119⤵
        
        PID:1168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613578.exe
        120⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613640.exe
        120⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613718.exe
        121⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614015.exe
        121⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614078.exe
        122⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614125.exe
        122⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613015.exe
        117⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613218.exe
        118⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613281.exe
        118⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613390.exe
        119⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613546.exe
        119⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613609.exe
        120⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613656.exe
        120⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612609.exe
        115⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612703.exe
        116⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612765.exe
        116⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612812.exe
        117⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612859.exe
        117⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612000.exe
        112⤵
        
        PID:3692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612062.exe
        113⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612093.exe
        113⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612140.exe
        114⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612171.exe
        114⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611656.exe
        110⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611234.exe
        107⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611312.exe
        108⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611406.exe
        108⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610906.exe
        105⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610937.exe
        106⤵
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610968.exe
        106⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610546.exe
        103⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610875.exe
        104⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610921.exe
        104⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610234.exe
        101⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610312.exe
        102⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610359.exe
        102⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609921.exe
        99⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641468.exe
        97⤵
        Drops file in System32 directory
        
        PID:2712
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        98⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641890.exe
        99⤵
        Checks computer location settings
        Modifies registry class
        
        PID:784
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        100⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642359.exe
        101⤵
        Checks computer location settings
        
        PID:4408
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        102⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642765.exe
        103⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642843.exe
        103⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642937.exe
        104⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642968.exe
        104⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643109.exe
        105⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643187.exe
        105⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643281.exe
        106⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643375.exe
        106⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643593.exe
        107⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643640.exe
        107⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643843.exe
        108⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643937.exe
        108⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642421.exe
        101⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642500.exe
        102⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642546.exe
        102⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642625.exe
        103⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642640.exe
        103⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641968.exe
        99⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642140.exe
        100⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642171.exe
        100⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642234.exe
        101⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642250.exe
        101⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642375.exe
        102⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642406.exe
        102⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642453.exe
        103⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642484.exe
        103⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642593.exe
        104⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642656.exe
        104⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642750.exe
        105⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3492
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        106⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643468.exe
        107⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643625.exe
        107⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643812.exe
        108⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643906.exe
        108⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643953.exe
        109⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644015.exe
        109⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644140.exe
        110⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644093.exe
        110⤵
        Checks computer location settings
        
        PID:4772
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        111⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644640.exe
        112⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651109.exe
        112⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651625.exe
        113⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651703.exe
        113⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651859.exe
        114⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651906.exe
        114⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652109.exe
        115⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652218.exe
        115⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652296.exe
        116⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652359.exe
        116⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652531.exe
        117⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652593.exe
        117⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652703.exe
        118⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652859.exe
        118⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653015.exe
        119⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653218.exe
        119⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653312.exe
        120⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653437.exe
        120⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643046.exe
        105⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643156.exe
        106⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643234.exe
        106⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643296.exe
        107⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643546.exe
        107⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641484.exe
        97⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641578.exe
        98⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641609.exe
        98⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609343.exe
        96⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608296.exe
        93⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608375.exe
        94⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608406.exe
        94⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607890.exe
        91⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608000.exe
        92⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608125.exe
        92⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607234.exe
        89⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606125.exe
        86⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605546.exe
        83⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605640.exe
        84⤵
        Checks computer location settings
        
        PID:2328
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        85⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606062.exe
        86⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606312.exe
        86⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606546.exe
        87⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606890.exe
        87⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605828.exe
        84⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604984.exe
        81⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605562.exe
        82⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605734.exe
        82⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603640.exe
        79⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603718.exe
        80⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603750.exe
        80⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603343.exe
        77⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603406.exe
        78⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603453.exe
        78⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603078.exe
        75⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603109.exe
        76⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603156.exe
        76⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602796.exe
        73⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602484.exe
        71⤵
        
        PID:3708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602265.exe
        69⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602031.exe
        67⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601750.exe
        65⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601437.exe
        63⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240601156.exe
        61⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600906.exe
        59⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600593.exe
        57⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600359.exe
        55⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240600078.exe
        53⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599750.exe
        51⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599453.exe
        49⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240599078.exe
        47⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598796.exe
        45⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597906.exe
        43⤵
        Executes dropped EXE
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597546.exe
        41⤵
        Executes dropped EXE
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597281.exe
        39⤵
        Executes dropped EXE
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596937.exe
        37⤵
        Executes dropped EXE
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596531.exe
        35⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596265.exe
        33⤵
        Executes dropped EXE
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596000.exe
        31⤵
        Executes dropped EXE
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595640.exe
        29⤵
        Executes dropped EXE
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595343.exe
        27⤵
        Executes dropped EXE
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240595046.exe
        25⤵
        Executes dropped EXE
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594531.exe
        23⤵
        Executes dropped EXE
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594015.exe
        21⤵
        Executes dropped EXE
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593484.exe
        19⤵
        Executes dropped EXE
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593078.exe
        17⤵
        Executes dropped EXE
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590375.exe
        15⤵
        Executes dropped EXE
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589921.exe
        13⤵
        Executes dropped EXE
        
        PID:3500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589421.exe
        11⤵
        Executes dropped EXE
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588937.exe
        9⤵
        Executes dropped EXE
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588406.exe
        7⤵
        Executes dropped EXE
        
        PID:3412
    - - C:\Users\Admin\AppData\Local\Temp\tmp240587890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587890.exe
        5⤵
        Executes dropped EXE
        
        PID:4988
- - C:\Users\Admin\AppData\Local\Temp\tmp240587375.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240587375.exe
    3⤵
    - Executes dropped EXE
    PID:4508

C:\Users\Admin\AppData\Local\Temp\tmp240626640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240626640.exe
1⤵
PID:4284

C:\Users\Admin\AppData\Local\Temp\tmp240654687.exe
C:\Users\Admin\AppData\Local\Temp\tmp240654687.exe
1⤵
PID:2260

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240587281.exe

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240587281.exe

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240587375.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240587765.exe

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240587765.exe

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240587890.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588312.exe

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588312.exe

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588406.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588859.exe

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588859.exe

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588937.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589328.exe

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589328.exe

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589421.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589781.exe

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589781.exe

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240589921.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240590328.exe

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240590328.exe

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240590375.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240590718.exe

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240590718.exe

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240593078.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240593421.exe

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240593421.exe

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240593484.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240593921.exe

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240593921.exe

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240594015.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240594468.exe

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240594468.exe

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1.2MB

MD5
32773553d7da8e443020d96b44ce976b

SHA1
8b9ea5dc13c096984d9b83c226b55dce38496e7c

SHA256
f982412f8fcd2abc4359fd1ab5aebfe5d170665bffd660b8c64dc7357cda44f5

SHA512
e4fcd56010b520dd2db2a2a0911fedb024e37c76277b87373248208f14a18a3f76ff0411f6586bf5b24576840ea4d5f37910baf2a919631b9a78a09e86d41a93

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.4MB

MD5
57f310d811b19b606eea2993572734b0

SHA1
9e612b39b9783eee9825ebadb58e3313a668ace3

SHA256
f1522171bcdbad0dcb5cfb006ee7f2a0ff5fb51c1e57e2113e812b3bc761859b

SHA512
e14badd5c44e089aed6b3393900b6399aafcb1d34eeab251f97efffa1aca6dcb829245fb8477971592b813948fcb25a661fac7ed3ea6df9b80a1557dc5271528

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.4MB

MD5
57f310d811b19b606eea2993572734b0

SHA1
9e612b39b9783eee9825ebadb58e3313a668ace3

SHA256
f1522171bcdbad0dcb5cfb006ee7f2a0ff5fb51c1e57e2113e812b3bc761859b

SHA512
e14badd5c44e089aed6b3393900b6399aafcb1d34eeab251f97efffa1aca6dcb829245fb8477971592b813948fcb25a661fac7ed3ea6df9b80a1557dc5271528

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.4MB

MD5
57f310d811b19b606eea2993572734b0

SHA1
9e612b39b9783eee9825ebadb58e3313a668ace3

SHA256
f1522171bcdbad0dcb5cfb006ee7f2a0ff5fb51c1e57e2113e812b3bc761859b

SHA512
e14badd5c44e089aed6b3393900b6399aafcb1d34eeab251f97efffa1aca6dcb829245fb8477971592b813948fcb25a661fac7ed3ea6df9b80a1557dc5271528

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.4MB

MD5
57f310d811b19b606eea2993572734b0

SHA1
9e612b39b9783eee9825ebadb58e3313a668ace3

SHA256
f1522171bcdbad0dcb5cfb006ee7f2a0ff5fb51c1e57e2113e812b3bc761859b

SHA512
e14badd5c44e089aed6b3393900b6399aafcb1d34eeab251f97efffa1aca6dcb829245fb8477971592b813948fcb25a661fac7ed3ea6df9b80a1557dc5271528

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.4MB

MD5
57f310d811b19b606eea2993572734b0

SHA1
9e612b39b9783eee9825ebadb58e3313a668ace3

SHA256
f1522171bcdbad0dcb5cfb006ee7f2a0ff5fb51c1e57e2113e812b3bc761859b

SHA512
e14badd5c44e089aed6b3393900b6399aafcb1d34eeab251f97efffa1aca6dcb829245fb8477971592b813948fcb25a661fac7ed3ea6df9b80a1557dc5271528

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.4MB

MD5
57f310d811b19b606eea2993572734b0

SHA1
9e612b39b9783eee9825ebadb58e3313a668ace3

SHA256
f1522171bcdbad0dcb5cfb006ee7f2a0ff5fb51c1e57e2113e812b3bc761859b

SHA512
e14badd5c44e089aed6b3393900b6399aafcb1d34eeab251f97efffa1aca6dcb829245fb8477971592b813948fcb25a661fac7ed3ea6df9b80a1557dc5271528

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.4MB

MD5
57f310d811b19b606eea2993572734b0

SHA1
9e612b39b9783eee9825ebadb58e3313a668ace3

SHA256
f1522171bcdbad0dcb5cfb006ee7f2a0ff5fb51c1e57e2113e812b3bc761859b

SHA512
e14badd5c44e089aed6b3393900b6399aafcb1d34eeab251f97efffa1aca6dcb829245fb8477971592b813948fcb25a661fac7ed3ea6df9b80a1557dc5271528

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.4MB

MD5
57f310d811b19b606eea2993572734b0

SHA1
9e612b39b9783eee9825ebadb58e3313a668ace3

SHA256
f1522171bcdbad0dcb5cfb006ee7f2a0ff5fb51c1e57e2113e812b3bc761859b

SHA512
e14badd5c44e089aed6b3393900b6399aafcb1d34eeab251f97efffa1aca6dcb829245fb8477971592b813948fcb25a661fac7ed3ea6df9b80a1557dc5271528

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.4MB

MD5
57f310d811b19b606eea2993572734b0

SHA1
9e612b39b9783eee9825ebadb58e3313a668ace3

SHA256
f1522171bcdbad0dcb5cfb006ee7f2a0ff5fb51c1e57e2113e812b3bc761859b

SHA512
e14badd5c44e089aed6b3393900b6399aafcb1d34eeab251f97efffa1aca6dcb829245fb8477971592b813948fcb25a661fac7ed3ea6df9b80a1557dc5271528

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.4MB

MD5
57f310d811b19b606eea2993572734b0

SHA1
9e612b39b9783eee9825ebadb58e3313a668ace3

SHA256
f1522171bcdbad0dcb5cfb006ee7f2a0ff5fb51c1e57e2113e812b3bc761859b

SHA512
e14badd5c44e089aed6b3393900b6399aafcb1d34eeab251f97efffa1aca6dcb829245fb8477971592b813948fcb25a661fac7ed3ea6df9b80a1557dc5271528

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.4MB

MD5
57f310d811b19b606eea2993572734b0

SHA1
9e612b39b9783eee9825ebadb58e3313a668ace3

SHA256
f1522171bcdbad0dcb5cfb006ee7f2a0ff5fb51c1e57e2113e812b3bc761859b

SHA512
e14badd5c44e089aed6b3393900b6399aafcb1d34eeab251f97efffa1aca6dcb829245fb8477971592b813948fcb25a661fac7ed3ea6df9b80a1557dc5271528

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.4MB

MD5
57f310d811b19b606eea2993572734b0

SHA1
9e612b39b9783eee9825ebadb58e3313a668ace3

SHA256
f1522171bcdbad0dcb5cfb006ee7f2a0ff5fb51c1e57e2113e812b3bc761859b

SHA512
e14badd5c44e089aed6b3393900b6399aafcb1d34eeab251f97efffa1aca6dcb829245fb8477971592b813948fcb25a661fac7ed3ea6df9b80a1557dc5271528

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
memory/340-162-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/340-164-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/372-204-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/452-143-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/452-138-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/756-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/840-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/840-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1092-258-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1148-235-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1148-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1168-288-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1380-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1532-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1536-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1568-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1756-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1904-153-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1908-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1908-250-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1956-242-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2004-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2004-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2112-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2188-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2284-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2348-254-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2380-271-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2380-268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2392-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2524-184-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2700-287-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2860-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2960-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3232-275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3264-174-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3412-266-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3444-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3548-194-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3868-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3868-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3932-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3932-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3948-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3948-290-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3968-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4092-262-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4296-279-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4312-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4412-303-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4432-225-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4484-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4484-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4492-215-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4492-207-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4544-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4604-284-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4604-282-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4816-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4816-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4828-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4836-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4916-246-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4960-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download