5d4215acf0ae322b8633095478f5d9a87f17a070b67bc310c206c643354ae877

Analysis

max time kernel
150s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d4215acf0ae322b8633095478f5d9a87f17a070b67bc310c206c643354ae877.exe
Size

2.8MB
MD5

fc0d11b9914912c48b60ec78644bef66
SHA1

e4ac08bab388de9e3e91c0191a59dc9076068884
SHA256

5d4215acf0ae322b8633095478f5d9a87f17a070b67bc310c206c643354ae877
SHA512

1047c392c068e0186937c6013abc7cc4828a6be63dd5439a554e74e32ada9498567545539e8924a7c836249963ef87d46d3c738c763a0457e78c0728aae2a129
SSDEEP

24576:aDyTFtjBDyTFtj/DyTFtjBDyTFtjIDyTFtjBDyTFtjUDyTFtjBDyTFtjwDyTFtjj:Htqt0tqtltqthtqtttqtetqtitqtet

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2740	tmp240576203.exe
5060	tmp240576500.exe
2208	notpad.exe
4628	tmp240580890.exe
2028	tmp240581140.exe
3852	notpad.exe
1920	tmp240581609.exe
1984	tmp240581890.exe
920	notpad.exe
2168	tmp240582250.exe
4984	tmp240582390.exe
4964	notpad.exe
2200	tmp240583000.exe
1416	tmp240583406.exe
4392	notpad.exe
4140	tmp240584156.exe
3768	tmp240584250.exe
4712	tmp240584437.exe
1160	notpad.exe
1704	tmp240584687.exe
1184	tmp240599031.exe
4764	tmp240585500.exe
404	tmp240585718.exe
1040	notpad.exe
4616	tmp240599281.exe
4760	tmp240587265.exe
1828	tmp240599671.exe
844	tmp240594859.exe
3556	tmp240587953.exe
1816	notpad.exe
4748	tmp240588218.exe
4464	tmp240588656.exe
2952	tmp240588828.exe
3000	tmp240589000.exe
3972	tmp240595562.exe
4300	tmp240589296.exe
3112	tmp240589468.exe
2008	tmp240589640.exe
2500	notpad.exe
2288	tmp240589906.exe
2216	tmp240596890.exe
4452	tmp240596828.exe
2540	tmp240590390.exe
1320	tmp240597031.exe
3716	tmp240590484.exe
1408	tmp240590546.exe
1376	tmp240590609.exe
4340	tmp240604781.exe
940	tmp240597421.exe
2752	tmp240590906.exe
3176	tmp240590968.exe
5088	tmp240591109.exe
3300	tmp240591406.exe
1928	tmp240591484.exe
4440	notpad.exe
5040	tmp240605343.exe
872	tmp240591671.exe
4912	tmp240591796.exe
2208	tmp240591859.exe
2420	notpad.exe
436	tmp240606281.exe
3840	tmp240605765.exe
204	tmp240598078.exe
1760	tmp240592359.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4284-132-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4284-139-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022f67-141.dat	upx
behavioral2/files/0x0007000000022f67-142.dat	upx
behavioral2/files/0x0006000000022f65-146.dat	upx
behavioral2/memory/2208-150-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022f67-152.dat	upx
behavioral2/files/0x0006000000022f65-157.dat	upx
behavioral2/memory/3852-160-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022f67-162.dat	upx
behavioral2/memory/920-170-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022f65-166.dat	upx
behavioral2/files/0x0007000000022f67-172.dat	upx
behavioral2/memory/4964-180-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022f65-178.dat	upx
behavioral2/files/0x0006000000022f76-183.dat	upx
behavioral2/files/0x0006000000022f76-182.dat	upx
behavioral2/files/0x0006000000022f77-191.dat	upx
behavioral2/files/0x0006000000022f77-190.dat	upx
behavioral2/memory/3768-195-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3768-201-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022f76-198.dat	upx
behavioral2/memory/4392-192-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022f65-187.dat	upx
behavioral2/files/0x0008000000022f67-209.dat	upx
behavioral2/memory/1160-210-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0008000000022f67-208.dat	upx
behavioral2/memory/4764-211-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022f65-205.dat	upx
behavioral2/files/0x0006000000022f76-216.dat	upx
behavioral2/memory/4764-219-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1040-220-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022f65-225.dat	upx
behavioral2/files/0x0006000000022f83-228.dat	upx
behavioral2/memory/1040-229-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022f83-227.dat	upx
behavioral2/memory/1828-235-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022f76-237.dat	upx
behavioral2/memory/1816-238-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022f65-242.dat	upx
behavioral2/memory/1816-244-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4464-247-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3972-250-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3972-252-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3112-256-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2500-259-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4452-263-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1320-267-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1376-271-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/940-274-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5088-277-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4440-279-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4440-282-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2420-289-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/872-285-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3840-292-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4032-293-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4032-294-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4432-295-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3700-296-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4680-297-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1324-298-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1324-299-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/716-300-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 49 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240707234.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240606281.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240608015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240610046.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240672312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240583000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240599156.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240599796.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240608218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240629703.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240582250.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240603343.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240605437.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240597750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240609859.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240624921.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240627234.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240646921.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240596890.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240592593.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240595500.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240594437.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240618531.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240633281.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240576203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240584156.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240590546.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240593281.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240609437.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240613796.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240637421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240685421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240581609.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240599031.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240590968.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240692656.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240605343.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240607640.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240587265.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240588218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240589296.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240643265.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240658515.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240665171.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240678796.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240718968.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240605125.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240614906.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240621937.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240584156.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240609437.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240646921.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240685421.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240582250.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240605343.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240607640.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240597750.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240606281.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240597750.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240605437.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240627234.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240590546.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240605125.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240609859.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240608218.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240624921.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240605343.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240605437.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240614906.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240685421.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240608218.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240633281.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240637421.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240599031.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240587265.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240692656.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240592593.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240627234.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240595500.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240609859.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240629703.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240665171.exe
File created	C:\Windows\SysWOW64\fsb.tmp	tmp240576203.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240610046.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240613796.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240576203.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240589296.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240608015.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240618531.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240581609.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240605343.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240607640.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240610046.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240665171.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240707234.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240590968.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240606281.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240614906.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240629703.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240658515.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240685421.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240707234.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240580890.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240594437.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240614906.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240588218.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240590968.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240603343.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240613796.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240672312.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240580890.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240582250.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240590968.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 50 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240606281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240607640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240599796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240608218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240646921.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240658515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240718968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240590546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240613796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240633281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240665171.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240707234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240595500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240609437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240610046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240629703.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240592593.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240580890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240581609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240599031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240588218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240599156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240609859.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240614906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240576203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240590968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240594437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240608015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240603343.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240624921.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240584156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240596890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240593281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240605437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240621937.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240672312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240587265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240583000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240589296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240605343.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240605125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240637421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240643265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240678796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240582250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240692656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240685421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240618531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240627234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240597750.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 2740	4284	5d4215acf0ae322b8633095478f5d9a87f17a070b67bc310c206c643354ae877.exe	79
PID 4284 wrote to memory of 2740	4284	5d4215acf0ae322b8633095478f5d9a87f17a070b67bc310c206c643354ae877.exe	79
PID 4284 wrote to memory of 2740	4284	5d4215acf0ae322b8633095478f5d9a87f17a070b67bc310c206c643354ae877.exe	79
PID 4284 wrote to memory of 5060	4284	5d4215acf0ae322b8633095478f5d9a87f17a070b67bc310c206c643354ae877.exe	80
PID 4284 wrote to memory of 5060	4284	5d4215acf0ae322b8633095478f5d9a87f17a070b67bc310c206c643354ae877.exe	80
PID 4284 wrote to memory of 5060	4284	5d4215acf0ae322b8633095478f5d9a87f17a070b67bc310c206c643354ae877.exe	80
PID 2740 wrote to memory of 2208	2740	tmp240576203.exe	81
PID 2740 wrote to memory of 2208	2740	tmp240576203.exe	81
PID 2740 wrote to memory of 2208	2740	tmp240576203.exe	81
PID 2208 wrote to memory of 4628	2208	notpad.exe	82
PID 2208 wrote to memory of 4628	2208	notpad.exe	82
PID 2208 wrote to memory of 4628	2208	notpad.exe	82
PID 2208 wrote to memory of 2028	2208	notpad.exe	83
PID 2208 wrote to memory of 2028	2208	notpad.exe	83
PID 2208 wrote to memory of 2028	2208	notpad.exe	83
PID 4628 wrote to memory of 3852	4628	Process not Found	84
PID 4628 wrote to memory of 3852	4628	Process not Found	84
PID 4628 wrote to memory of 3852	4628	Process not Found	84
PID 3852 wrote to memory of 1920	3852	notpad.exe	85
PID 3852 wrote to memory of 1920	3852	notpad.exe	85
PID 3852 wrote to memory of 1920	3852	notpad.exe	85
PID 3852 wrote to memory of 1984	3852	notpad.exe	86
PID 3852 wrote to memory of 1984	3852	notpad.exe	86
PID 3852 wrote to memory of 1984	3852	notpad.exe	86
PID 1920 wrote to memory of 920	1920	tmp240581609.exe	87
PID 1920 wrote to memory of 920	1920	tmp240581609.exe	87
PID 1920 wrote to memory of 920	1920	tmp240581609.exe	87
PID 920 wrote to memory of 2168	920	notpad.exe	88
PID 920 wrote to memory of 2168	920	notpad.exe	88
PID 920 wrote to memory of 2168	920	notpad.exe	88
PID 920 wrote to memory of 4984	920	notpad.exe	89
PID 920 wrote to memory of 4984	920	notpad.exe	89
PID 920 wrote to memory of 4984	920	notpad.exe	89
PID 2168 wrote to memory of 4964	2168	tmp240582250.exe	90
PID 2168 wrote to memory of 4964	2168	tmp240582250.exe	90
PID 2168 wrote to memory of 4964	2168	tmp240582250.exe	90
PID 4964 wrote to memory of 2200	4964	notpad.exe	91
PID 4964 wrote to memory of 2200	4964	notpad.exe	91
PID 4964 wrote to memory of 2200	4964	notpad.exe	91
PID 4964 wrote to memory of 1416	4964	notpad.exe	92
PID 4964 wrote to memory of 1416	4964	notpad.exe	92
PID 4964 wrote to memory of 1416	4964	notpad.exe	92
PID 2200 wrote to memory of 4392	2200	tmp240583000.exe	93
PID 2200 wrote to memory of 4392	2200	tmp240583000.exe	93
PID 2200 wrote to memory of 4392	2200	tmp240583000.exe	93
PID 4392 wrote to memory of 4140	4392	notpad.exe	94
PID 4392 wrote to memory of 4140	4392	notpad.exe	94
PID 4392 wrote to memory of 4140	4392	notpad.exe	94
PID 4392 wrote to memory of 3768	4392	notpad.exe	95
PID 4392 wrote to memory of 3768	4392	notpad.exe	95
PID 4392 wrote to memory of 3768	4392	notpad.exe	95
PID 3768 wrote to memory of 4712	3768	tmp240584250.exe	96
PID 3768 wrote to memory of 4712	3768	tmp240584250.exe	96
PID 3768 wrote to memory of 4712	3768	tmp240584250.exe	96
PID 4140 wrote to memory of 1160	4140	tmp240584156.exe	97
PID 4140 wrote to memory of 1160	4140	tmp240584156.exe	97
PID 4140 wrote to memory of 1160	4140	tmp240584156.exe	97
PID 3768 wrote to memory of 1704	3768	tmp240584250.exe	98
PID 3768 wrote to memory of 1704	3768	tmp240584250.exe	98
PID 3768 wrote to memory of 1704	3768	tmp240584250.exe	98
PID 1160 wrote to memory of 1184	1160	notpad.exe	226
PID 1160 wrote to memory of 1184	1160	notpad.exe	226
PID 1160 wrote to memory of 1184	1160	notpad.exe	226
PID 1160 wrote to memory of 4764	1160	notpad.exe	101

C:\Users\Admin\AppData\Local\Temp\5d4215acf0ae322b8633095478f5d9a87f17a070b67bc310c206c643354ae877.exe
"C:\Users\Admin\AppData\Local\Temp\5d4215acf0ae322b8633095478f5d9a87f17a070b67bc310c206c643354ae877.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Users\Admin\AppData\Local\Temp\tmp240576203.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240576203.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Users\Admin\AppData\Local\Temp\tmp240580890.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240580890.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Modifies registry class
      PID:4628
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3852
      - C:\Users\Admin\AppData\Local\Temp\tmp240581609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240581609.exe
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240582250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240582250.exe
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240583000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240583000.exe
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240584156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240584156.exe
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4140
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240584750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240584750.exe
        14⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        Executes dropped EXE
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587265.exe
        16⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4760
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        Executes dropped EXE
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588218.exe
        18⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4748
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589296.exe
        20⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4300
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        Executes dropped EXE
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589968.exe
        22⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590546.exe
        24⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1408
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590968.exe
        26⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        Executes dropped EXE
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590609.exe
        24⤵
        Executes dropped EXE
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590750.exe
        25⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604875.exe
        26⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590906.exe
        25⤵
        Executes dropped EXE
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597031.exe
        23⤵
        Executes dropped EXE
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597171.exe
        23⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597343.exe
        24⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240597453.exe
        24⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240590062.exe
        22⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589468.exe
        20⤵
        Executes dropped EXE
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589640.exe
        21⤵
        Executes dropped EXE
        
        PID:2008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589906.exe
        21⤵
        Executes dropped EXE
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588656.exe
        18⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240588828.exe
        19⤵
        Executes dropped EXE
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240589000.exe
        19⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240587421.exe
        16⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240585500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240585500.exe
        14⤵
        Executes dropped EXE
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240586031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240586031.exe
        15⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240584250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240584250.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240584437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240584437.exe
        13⤵
        Executes dropped EXE
        
        PID:4712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240584687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240584687.exe
        13⤵
        Executes dropped EXE
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240583406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240583406.exe
        10⤵
        Executes dropped EXE
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240582390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240582390.exe
        8⤵
        Executes dropped EXE
        
        PID:4984
      - C:\Users\Admin\AppData\Local\Temp\tmp240581890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240581890.exe
        6⤵
        Executes dropped EXE
        
        PID:1984
  - - C:\Users\Admin\AppData\Local\Temp\tmp240581140.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240581140.exe
      4⤵
      Executes dropped EXE
      PID:2028
- C:\Users\Admin\AppData\Local\Temp\tmp240576500.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240576500.exe
  2⤵
  - Executes dropped EXE
  PID:5060

C:\Users\Admin\AppData\Local\Temp\tmp240585718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240585718.exe
1⤵
- Executes dropped EXE
PID:404

C:\Users\Admin\AppData\Local\Temp\tmp240587578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240587578.exe
1⤵
PID:844

C:\Users\Admin\AppData\Local\Temp\tmp240587953.exe
C:\Users\Admin\AppData\Local\Temp\tmp240587953.exe
1⤵
- Executes dropped EXE
PID:3556

C:\Users\Admin\AppData\Local\Temp\tmp240591484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240591484.exe
1⤵
- Executes dropped EXE
PID:1928

C:\Users\Admin\AppData\Local\Temp\tmp240591593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240591593.exe
1⤵
PID:5040
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  PID:2420

C:\Users\Admin\AppData\Local\Temp\tmp240591671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240591671.exe
1⤵
- Executes dropped EXE
PID:872
- C:\Users\Admin\AppData\Local\Temp\tmp240591859.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240591859.exe
  2⤵
  - Executes dropped EXE
  PID:2208
- C:\Users\Admin\AppData\Local\Temp\tmp240591796.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240591796.exe
  2⤵
  - Executes dropped EXE
  PID:4912

C:\Users\Admin\AppData\Local\Temp\tmp240592046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240592046.exe
1⤵
PID:3840
- C:\Users\Admin\AppData\Local\Temp\tmp240592156.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240592156.exe
  2⤵
  PID:204
- C:\Users\Admin\AppData\Local\Temp\tmp240592359.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240592359.exe
  2⤵
  - Executes dropped EXE
  PID:1760

C:\Users\Admin\AppData\Local\Temp\tmp240592000.exe
C:\Users\Admin\AppData\Local\Temp\tmp240592000.exe
1⤵
PID:436
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:4032

C:\Users\Admin\AppData\Local\Temp\tmp240592640.exe
C:\Users\Admin\AppData\Local\Temp\tmp240592640.exe
1⤵
PID:4432
- C:\Users\Admin\AppData\Local\Temp\tmp240592734.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240592734.exe
  2⤵
  PID:3636
- C:\Users\Admin\AppData\Local\Temp\tmp240592859.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240592859.exe
  2⤵
  PID:3700
- - C:\Users\Admin\AppData\Local\Temp\tmp240593093.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240593093.exe
    3⤵
    PID:3388
  - - C:\Users\Admin\AppData\Local\Temp\tmp240598500.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240598500.exe
      4⤵
      PID:1884
  - - C:\Users\Admin\AppData\Local\Temp\tmp240598515.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240598515.exe
      4⤵
      PID:4972
    - - C:\Users\Admin\AppData\Local\Temp\tmp240598609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598609.exe
        5⤵
        
        PID:4952
    - - C:\Users\Admin\AppData\Local\Temp\tmp240598687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240598687.exe
        5⤵
        
        PID:4620
- - C:\Users\Admin\AppData\Local\Temp\tmp240592968.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240592968.exe
    3⤵
    PID:4488

C:\Users\Admin\AppData\Local\Temp\tmp240592593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240592593.exe
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:4892
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:4680
- - C:\Users\Admin\AppData\Local\Temp\tmp240593281.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240593281.exe
    3⤵
    - Checks computer location settings
    - Modifies registry class
    PID:1128
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:1980
    - - C:\Users\Admin\AppData\Local\Temp\tmp240593734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593734.exe
        5⤵
        
        PID:432
    - - C:\Users\Admin\AppData\Local\Temp\tmp240594015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594015.exe
        5⤵
        
        PID:3652
- - C:\Users\Admin\AppData\Local\Temp\tmp240593343.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240593343.exe
    3⤵
    PID:1324
  - - C:\Users\Admin\AppData\Local\Temp\tmp240593484.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240593484.exe
      4⤵
      PID:1132
  - - C:\Users\Admin\AppData\Local\Temp\tmp240593578.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240593578.exe
      4⤵
      PID:716
    - - C:\Users\Admin\AppData\Local\Temp\tmp240593656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593656.exe
        5⤵
        
        PID:2428
    - - C:\Users\Admin\AppData\Local\Temp\tmp240593968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240593968.exe
        5⤵
        
        PID:4612
      - C:\Users\Admin\AppData\Local\Temp\tmp240594156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594156.exe
        6⤵
        
        PID:3980
      - C:\Users\Admin\AppData\Local\Temp\tmp240594187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240594187.exe
        6⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690312.exe
        7⤵
        
        PID:2212

C:\Users\Admin\AppData\Local\Temp\tmp240594562.exe
C:\Users\Admin\AppData\Local\Temp\tmp240594562.exe
1⤵
PID:4800

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:2824
- C:\Users\Admin\AppData\Local\Temp\tmp240594859.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240594859.exe
  2⤵
  - Executes dropped EXE
  PID:844
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:4208
- C:\Users\Admin\AppData\Local\Temp\tmp240594937.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240594937.exe
  2⤵
  PID:4124
- - C:\Users\Admin\AppData\Local\Temp\tmp240595421.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240595421.exe
    3⤵
    PID:3876
- - C:\Users\Admin\AppData\Local\Temp\tmp240596218.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240596218.exe
    3⤵
    PID:1868

C:\Users\Admin\AppData\Local\Temp\tmp240594828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240594828.exe
1⤵
PID:4288

C:\Users\Admin\AppData\Local\Temp\tmp240594484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240594484.exe
1⤵
PID:1908
- C:\Users\Admin\AppData\Local\Temp\tmp240595046.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240595046.exe
  2⤵
  PID:4456

C:\Users\Admin\AppData\Local\Temp\tmp240594734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240594734.exe
1⤵
PID:4756
- C:\Users\Admin\AppData\Local\Temp\tmp240595203.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240595203.exe
  2⤵
  PID:4460
- C:\Users\Admin\AppData\Local\Temp\tmp240595187.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240595187.exe
  2⤵
  PID:4700

C:\Users\Admin\AppData\Local\Temp\tmp240595359.exe
C:\Users\Admin\AppData\Local\Temp\tmp240595359.exe
1⤵
PID:1932
- C:\Users\Admin\AppData\Local\Temp\tmp240595500.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240595500.exe
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  PID:3560
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:3740
  - - C:\Users\Admin\AppData\Local\Temp\tmp240596656.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240596656.exe
      4⤵
      PID:3680
  - - C:\Users\Admin\AppData\Local\Temp\tmp240596796.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240596796.exe
      4⤵
      PID:1788
    - - C:\Users\Admin\AppData\Local\Temp\tmp240596984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596984.exe
        5⤵
        
        PID:4532
    - - C:\Users\Admin\AppData\Local\Temp\tmp240596953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240596953.exe
        5⤵
        
        PID:2296
- C:\Users\Admin\AppData\Local\Temp\tmp240596000.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240596000.exe
  2⤵
  PID:2640
- - C:\Users\Admin\AppData\Local\Temp\tmp240596484.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240596484.exe
    3⤵
    PID:2300
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:648
- - C:\Users\Admin\AppData\Local\Temp\tmp240596859.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240596859.exe
    3⤵
    PID:2540

C:\Users\Admin\AppData\Local\Temp\tmp240595390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240595390.exe
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\tmp240595562.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240595562.exe
  2⤵
  - Executes dropped EXE
  PID:3972
- C:\Users\Admin\AppData\Local\Temp\tmp240596125.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240596125.exe
  2⤵
  PID:3444

C:\Users\Admin\AppData\Local\Temp\tmp240595343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240595343.exe
1⤵
PID:4816

C:\Users\Admin\AppData\Local\Temp\tmp240596015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240596015.exe
1⤵
PID:3068
- C:\Users\Admin\AppData\Local\Temp\tmp240596828.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240596828.exe
  2⤵
  - Executes dropped EXE
  PID:4452
- - C:\Users\Admin\AppData\Local\Temp\tmp240597265.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240597265.exe
    3⤵
    PID:1548
- - C:\Users\Admin\AppData\Local\Temp\tmp240597156.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240597156.exe
    3⤵
    PID:4504
- - C:\Users\Admin\AppData\Local\Temp\tmp240590484.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240590484.exe
    3⤵
    - Executes dropped EXE
    PID:3716
- - C:\Users\Admin\AppData\Local\Temp\tmp240590390.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240590390.exe
    3⤵
    - Executes dropped EXE
    PID:2540
- C:\Users\Admin\AppData\Local\Temp\tmp240596562.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240596562.exe
  2⤵
  PID:1200

C:\Users\Admin\AppData\Local\Temp\tmp240595468.exe
C:\Users\Admin\AppData\Local\Temp\tmp240595468.exe
1⤵
PID:1092

C:\Users\Admin\AppData\Local\Temp\tmp240597375.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597375.exe
1⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\tmp240597421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597421.exe
1⤵
- Executes dropped EXE
PID:940
- C:\Users\Admin\AppData\Local\Temp\tmp240597484.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240597484.exe
  2⤵
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\tmp240597562.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240597562.exe
  2⤵
  PID:2904
- C:\Users\Admin\AppData\Local\Temp\tmp240591109.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240591109.exe
  2⤵
  - Executes dropped EXE
  PID:5088

C:\Users\Admin\AppData\Local\Temp\tmp240597609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597609.exe
1⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\tmp240597546.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597546.exe
1⤵
PID:4224
- C:\Users\Admin\AppData\Local\Temp\tmp240597671.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240597671.exe
  2⤵
  PID:2552

C:\Users\Admin\AppData\Local\Temp\tmp240597765.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597765.exe
1⤵
PID:644

C:\Users\Admin\AppData\Local\Temp\tmp240597781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597781.exe
1⤵
PID:2452

C:\Users\Admin\AppData\Local\Temp\tmp240597750.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597750.exe
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:1780
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:4424
- - C:\Users\Admin\AppData\Local\Temp\tmp240598406.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240598406.exe
    3⤵
    PID:3700
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:3036
- - C:\Users\Admin\AppData\Local\Temp\tmp240598421.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240598421.exe
    3⤵
    PID:3388

C:\Users\Admin\AppData\Local\Temp\tmp240597906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597906.exe
1⤵
PID:1960
- C:\Users\Admin\AppData\Local\Temp\tmp240597968.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240597968.exe
  2⤵
  PID:1944
- C:\Users\Admin\AppData\Local\Temp\tmp240598015.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240598015.exe
  2⤵
  PID:2164
- - C:\Users\Admin\AppData\Local\Temp\tmp240598062.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240598062.exe
    3⤵
    PID:2968
- - C:\Users\Admin\AppData\Local\Temp\tmp240598078.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240598078.exe
    3⤵
    - Executes dropped EXE
    PID:204
  - - C:\Users\Admin\AppData\Local\Temp\tmp240598171.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240598171.exe
      4⤵
      PID:4772
  - - C:\Users\Admin\AppData\Local\Temp\tmp240598187.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240598187.exe
      4⤵
      PID:3604

C:\Users\Admin\AppData\Local\Temp\tmp240598234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598234.exe
1⤵
PID:3140

C:\Users\Admin\AppData\Local\Temp\tmp240598906.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598906.exe
1⤵
PID:4708
- C:\Users\Admin\AppData\Local\Temp\tmp240598953.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240598953.exe
  2⤵
  PID:4012
- C:\Users\Admin\AppData\Local\Temp\tmp240598968.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240598968.exe
  2⤵
  PID:4676
- - C:\Users\Admin\AppData\Local\Temp\tmp240646828.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240646828.exe
    3⤵
    PID:4552
- - C:\Users\Admin\AppData\Local\Temp\tmp240646890.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240646890.exe
    3⤵
    PID:1568
  - - C:\Users\Admin\AppData\Local\Temp\tmp240647109.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240647109.exe
      4⤵
      PID:632
  - - C:\Users\Admin\AppData\Local\Temp\tmp240647187.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240647187.exe
      4⤵
      PID:3952
    - - C:\Users\Admin\AppData\Local\Temp\tmp240647390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647390.exe
        5⤵
        
        PID:1096
    - - C:\Users\Admin\AppData\Local\Temp\tmp240647453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647453.exe
        5⤵
        
        PID:4380
      - C:\Users\Admin\AppData\Local\Temp\tmp240656203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656203.exe
        6⤵
        
        PID:1944
      - C:\Users\Admin\AppData\Local\Temp\tmp240656328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656328.exe
        6⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656593.exe
        7⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656703.exe
        7⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656890.exe
        8⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657000.exe
        8⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657171.exe
        9⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657218.exe
        9⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657453.exe
        10⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657531.exe
        10⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657796.exe
        11⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657890.exe
        11⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658046.exe
        12⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658187.exe
        13⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658234.exe
        13⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658437.exe
        14⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658500.exe
        14⤵
        
        PID:3232

C:\Users\Admin\AppData\Local\Temp\tmp240599046.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599046.exe
1⤵
PID:2428
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:3600

C:\Users\Admin\AppData\Local\Temp\tmp240599156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599156.exe
1⤵
- Checks computer location settings
- Modifies registry class
PID:3980
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:1192
- - C:\Users\Admin\AppData\Local\Temp\tmp240599796.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240599796.exe
    3⤵
    - Checks computer location settings
    - Modifies registry class
    PID:3612
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:3352
    - - C:\Users\Admin\AppData\Local\Temp\tmp240602640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602640.exe
        5⤵
        
        PID:4208
    - - C:\Users\Admin\AppData\Local\Temp\tmp240602765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602765.exe
        5⤵
        
        PID:1476
      - C:\Users\Admin\AppData\Local\Temp\tmp240603343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603343.exe
        6⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3180
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605765.exe
        8⤵
        Executes dropped EXE
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606968.exe
        8⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607609.exe
        9⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607656.exe
        9⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608218.exe
        10⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609890.exe
        12⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610218.exe
        13⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610328.exe
        13⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610640.exe
        14⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610750.exe
        14⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613718.exe
        15⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613781.exe
        15⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613953.exe
        16⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614062.exe
        16⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614984.exe
        17⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615093.exe
        17⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615343.exe
        18⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615421.exe
        18⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615609.exe
        19⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615687.exe
        19⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615843.exe
        20⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617046.exe
        20⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617218.exe
        21⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617406.exe
        22⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617468.exe
        22⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617171.exe
        21⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609843.exe
        12⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608281.exe
        10⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608609.exe
        11⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608687.exe
        11⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608921.exe
        12⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608984.exe
        12⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609359.exe
        13⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609390.exe
        13⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609609.exe
        14⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609671.exe
        14⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609812.exe
        15⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609859.exe
        15⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610109.exe
        16⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610562.exe
        17⤵
        
        PID:2340
      - C:\Users\Admin\AppData\Local\Temp\tmp240603437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603437.exe
        6⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603578.exe
        7⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604015.exe
        7⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604781.exe
        8⤵
        Executes dropped EXE
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604953.exe
        9⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605312.exe
        10⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605437.exe
        11⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2164
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608250.exe
        13⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608546.exe
        13⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608765.exe
        14⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608859.exe
        14⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609265.exe
        15⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609437.exe
        15⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609625.exe
        16⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609703.exe
        16⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609921.exe
        17⤵
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610156.exe
        18⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610296.exe
        19⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610390.exe
        19⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610515.exe
        20⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610578.exe
        20⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613609.exe
        21⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613703.exe
        21⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613984.exe
        22⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614078.exe
        22⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623031.exe
        23⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609875.exe
        17⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606281.exe
        11⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606812.exe
        12⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607046.exe
        12⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607421.exe
        13⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607625.exe
        13⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605187.exe
        10⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604343.exe
        8⤵
        
        PID:3940
- - C:\Users\Admin\AppData\Local\Temp\tmp240602140.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240602140.exe
    3⤵
    PID:484
  - - C:\Users\Admin\AppData\Local\Temp\tmp240602906.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240602906.exe
      4⤵
      PID:1852
    - - C:\Users\Admin\AppData\Local\Temp\tmp240603562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603562.exe
        5⤵
        
        PID:1216
    - - C:\Users\Admin\AppData\Local\Temp\tmp240604000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604000.exe
        5⤵
        
        PID:1948
      - C:\Users\Admin\AppData\Local\Temp\tmp240604859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604859.exe
        6⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605062.exe
        7⤵
        
        PID:488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605093.exe
        7⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605203.exe
        8⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605343.exe
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605828.exe
        9⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606718.exe
        9⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606875.exe
        10⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607031.exe
        10⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607328.exe
        11⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607718.exe
        11⤵
        
        PID:3252
      - C:\Users\Admin\AppData\Local\Temp\tmp240604218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604218.exe
        6⤵
        
        PID:4664
  - - C:\Users\Admin\AppData\Local\Temp\tmp240610093.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240610093.exe
      4⤵
      PID:2036

C:\Users\Admin\AppData\Local\Temp\tmp240599281.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599281.exe
1⤵
- Executes dropped EXE
PID:4616
- C:\Users\Admin\AppData\Local\Temp\tmp240599390.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240599390.exe
  2⤵
  PID:4148
- - C:\Users\Admin\AppData\Local\Temp\tmp240599484.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240599484.exe
    3⤵
    PID:4416
- - C:\Users\Admin\AppData\Local\Temp\tmp240599500.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240599500.exe
    3⤵
    PID:4372
- C:\Users\Admin\AppData\Local\Temp\tmp240599375.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240599375.exe
  2⤵
  PID:4880

C:\Users\Admin\AppData\Local\Temp\tmp240599593.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599593.exe
1⤵
PID:4288
- C:\Users\Admin\AppData\Local\Temp\tmp240599671.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240599671.exe
  2⤵
  - Executes dropped EXE
  PID:1828
- - C:\Users\Admin\AppData\Local\Temp\tmp240599703.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240599703.exe
    3⤵
    PID:5100
- - C:\Users\Admin\AppData\Local\Temp\tmp240599765.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240599765.exe
    3⤵
    PID:4816
  - - C:\Users\Admin\AppData\Local\Temp\tmp240602750.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240602750.exe
      4⤵
      PID:2660
  - - C:\Users\Admin\AppData\Local\Temp\tmp240602062.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240602062.exe
      4⤵
      PID:1092
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:2412
      - C:\Users\Admin\AppData\Local\Temp\tmp240603390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603390.exe
        6⤵
        
        PID:3744
      - C:\Users\Admin\AppData\Local\Temp\tmp240603593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603593.exe
        6⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604265.exe
        7⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604796.exe
        8⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604937.exe
        8⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605125.exe
        9⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605296.exe
        9⤵
        
        PID:648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605781.exe
        10⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240606890.exe
        10⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607125.exe
        11⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607156.exe
        11⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607390.exe
        12⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240607640.exe
        12⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608000.exe
        13⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608015.exe
        13⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608187.exe
        14⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608515.exe
        14⤵
        
        PID:4800
    - - C:\Users\Admin\AppData\Local\Temp\tmp240610046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240610046.exe
        5⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3100
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613796.exe
        7⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2208
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614906.exe
        9⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:848
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618796.exe
        11⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619281.exe
        11⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619578.exe
        12⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620421.exe
        12⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621015.exe
        13⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621062.exe
        13⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621687.exe
        14⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621718.exe
        14⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622062.exe
        15⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622171.exe
        15⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622484.exe
        16⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622765.exe
        16⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622984.exe
        17⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623140.exe
        17⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623281.exe
        18⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623406.exe
        18⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623593.exe
        19⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646656.exe
        20⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646718.exe
        20⤵
        
        PID:204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623640.exe
        19⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623796.exe
        20⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623921.exe
        21⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624000.exe
        21⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624125.exe
        22⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624187.exe
        22⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624921.exe
        23⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627234.exe
        25⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:400
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629703.exe
        27⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2356
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633281.exe
        29⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637312.exe
        31⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642421.exe
        32⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643140.exe
        32⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643531.exe
        33⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643890.exe
        33⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644625.exe
        34⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644781.exe
        34⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645390.exe
        35⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645515.exe
        35⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645890.exe
        36⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646000.exe
        36⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646375.exe
        37⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646406.exe
        37⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633296.exe
        29⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633468.exe
        30⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633484.exe
        30⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634296.exe
        31⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634390.exe
        31⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634703.exe
        32⤵
        
        PID:204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634796.exe
        32⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636375.exe
        33⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636421.exe
        33⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636718.exe
        34⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636812.exe
        34⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637562.exe
        35⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637859.exe
        36⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637937.exe
        36⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642109.exe
        37⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643078.exe
        37⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643343.exe
        38⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643765.exe
        38⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644015.exe
        39⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644265.exe
        39⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644796.exe
        40⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645171.exe
        40⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645484.exe
        41⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645531.exe
        41⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646031.exe
        28⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646421.exe
        29⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646484.exe
        29⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645953.exe
        28⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629828.exe
        27⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631343.exe
        28⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633062.exe
        28⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634312.exe
        29⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634500.exe
        29⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634984.exe
        30⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636203.exe
        30⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636531.exe
        31⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636546.exe
        31⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636828.exe
        32⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636921.exe
        32⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637203.exe
        33⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637250.exe
        33⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637671.exe
        34⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637750.exe
        34⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637953.exe
        35⤵
        
        PID:3676
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638031.exe
        35⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642437.exe
        36⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643125.exe
        36⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643265.exe
        37⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4796
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        38⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646531.exe
        39⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646625.exe
        39⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657156.exe
        40⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657203.exe
        40⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657687.exe
        41⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657781.exe
        41⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658140.exe
        42⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658203.exe
        42⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658546.exe
        43⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658625.exe
        43⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658875.exe
        44⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658937.exe
        44⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659125.exe
        45⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659156.exe
        45⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659390.exe
        46⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659421.exe
        46⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659687.exe
        47⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659765.exe
        47⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659984.exe
        48⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664437.exe
        48⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664578.exe
        49⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664609.exe
        49⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664937.exe
        50⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665078.exe
        50⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665343.exe
        51⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665546.exe
        51⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665734.exe
        52⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665750.exe
        52⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668984.exe
        53⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669281.exe
        53⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669406.exe
        54⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669953.exe
        54⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670062.exe
        55⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671921.exe
        55⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672109.exe
        56⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672203.exe
        56⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672359.exe
        57⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672390.exe
        57⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643421.exe
        37⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643859.exe
        38⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644171.exe
        38⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644703.exe
        39⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644937.exe
        40⤵
        
        PID:488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645062.exe
        40⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645375.exe
        41⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645421.exe
        41⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645562.exe
        42⤵
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645625.exe
        42⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645765.exe
        43⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645875.exe
        43⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644406.exe
        39⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627281.exe
        25⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628109.exe
        26⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628609.exe
        26⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628906.exe
        27⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628968.exe
        27⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629437.exe
        28⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629671.exe
        28⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630000.exe
        29⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630078.exe
        29⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630437.exe
        30⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630578.exe
        30⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630843.exe
        31⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630906.exe
        31⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631062.exe
        32⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631125.exe
        32⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631328.exe
        33⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633031.exe
        33⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634234.exe
        34⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634375.exe
        34⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634625.exe
        35⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634671.exe
        35⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634984.exe
        36⤵
        
        PID:4012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636265.exe
        36⤵
        
        PID:4168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636390.exe
        37⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636796.exe
        37⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637046.exe
        38⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637093.exe
        38⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637265.exe
        39⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637421.exe
        40⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:316
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643234.exe
        42⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643359.exe
        42⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643953.exe
        43⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644218.exe
        43⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644875.exe
        44⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645046.exe
        44⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645500.exe
        45⤵
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645578.exe
        45⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637500.exe
        40⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637218.exe
        39⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646921.exe
        36⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4852
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658515.exe
        38⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1180
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665171.exe
        40⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4440
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672312.exe
        42⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4276
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678656.exe
        44⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679015.exe
        44⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684281.exe
        45⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684359.exe
        45⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684750.exe
        46⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684828.exe
        46⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688937.exe
        47⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689015.exe
        47⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690015.exe
        48⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690062.exe
        48⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690625.exe
        49⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690718.exe
        49⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691156.exe
        50⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691234.exe
        50⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691593.exe
        51⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691671.exe
        51⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692171.exe
        52⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692203.exe
        52⤵
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692656.exe
        53⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4464
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707234.exe
        55⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:948
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        56⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718968.exe
        57⤵
        Checks computer location settings
        Modifies registry class
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719125.exe
        57⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722484.exe
        58⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722609.exe
        58⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707328.exe
        55⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714109.exe
        56⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714218.exe
        56⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717687.exe
        57⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718953.exe
        57⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719968.exe
        58⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240720031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240720031.exe
        58⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721031.exe
        59⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721203.exe
        59⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721828.exe
        60⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721921.exe
        60⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722593.exe
        61⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722687.exe
        61⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723078.exe
        62⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692718.exe
        53⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693046.exe
        54⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693625.exe
        55⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693687.exe
        55⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705843.exe
        56⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705921.exe
        56⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706156.exe
        57⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706203.exe
        57⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706375.exe
        58⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706781.exe
        58⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707062.exe
        59⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707109.exe
        59⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707562.exe
        60⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707640.exe
        60⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707906.exe
        61⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240713765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240713765.exe
        61⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714078.exe
        62⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714359.exe
        63⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714687.exe
        63⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714875.exe
        64⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717234.exe
        64⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717328.exe
        65⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717390.exe
        65⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717578.exe
        66⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717687.exe
        66⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714031.exe
        62⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672468.exe
        42⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675906.exe
        43⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676015.exe
        43⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678468.exe
        44⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678515.exe
        44⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678859.exe
        45⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693000.exe
        46⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678921.exe
        45⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679468.exe
        46⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679593.exe
        46⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683593.exe
        47⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683703.exe
        47⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684171.exe
        48⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684218.exe
        48⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684515.exe
        49⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684546.exe
        49⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684937.exe
        50⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684968.exe
        50⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685437.exe
        51⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688921.exe
        51⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689359.exe
        52⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689531.exe
        52⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690046.exe
        53⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690234.exe
        53⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690812.exe
        54⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690875.exe
        54⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691125.exe
        55⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691171.exe
        55⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691468.exe
        56⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691640.exe
        57⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691687.exe
        57⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691984.exe
        58⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692140.exe
        59⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692187.exe
        59⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692406.exe
        60⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692484.exe
        60⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692671.exe
        61⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692734.exe
        61⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693031.exe
        62⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693265.exe
        63⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693468.exe
        63⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692984.exe
        62⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665218.exe
        40⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669812.exe
        41⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669843.exe
        41⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672015.exe
        42⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672062.exe
        42⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672406.exe
        43⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672515.exe
        43⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672890.exe
        44⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672953.exe
        44⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675156.exe
        45⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675234.exe
        45⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675593.exe
        46⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675687.exe
        46⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676125.exe
        47⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676218.exe
        47⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678500.exe
        48⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678562.exe
        48⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678796.exe
        49⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3684
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        50⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685093.exe
        51⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685203.exe
        51⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689156.exe
        52⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689296.exe
        52⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690046.exe
        53⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690578.exe
        53⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691265.exe
        54⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691359.exe
        54⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691781.exe
        55⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692296.exe
        56⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692343.exe
        56⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692750.exe
        57⤵
        
        PID:1192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692843.exe
        57⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693531.exe
        58⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693640.exe
        58⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705859.exe
        59⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706000.exe
        59⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706281.exe
        60⤵
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706359.exe
        60⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706718.exe
        61⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706734.exe
        61⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707031.exe
        62⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707125.exe
        62⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707593.exe
        63⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240713515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240713515.exe
        63⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714328.exe
        64⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714843.exe
        65⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717187.exe
        65⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717437.exe
        66⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717484.exe
        66⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717718.exe
        67⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718828.exe
        67⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719109.exe
        68⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719781.exe
        68⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240720078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240720078.exe
        69⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240720125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240720125.exe
        69⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240720328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240720328.exe
        70⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240720875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240720875.exe
        70⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721421.exe
        71⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721484.exe
        71⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721906.exe
        72⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721968.exe
        72⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722156.exe
        73⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722250.exe
        73⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678843.exe
        49⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679437.exe
        50⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679531.exe
        50⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683484.exe
        51⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683562.exe
        51⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683859.exe
        52⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684015.exe
        52⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684250.exe
        53⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684328.exe
        53⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684890.exe
        54⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684953.exe
        54⤵
        
        PID:2852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685140.exe
        55⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685218.exe
        55⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688890.exe
        56⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689140.exe
        57⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689312.exe
        57⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689546.exe
        58⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689875.exe
        58⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690156.exe
        59⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690406.exe
        60⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690031.exe
        59⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685421.exe
        56⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1004
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        57⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692468.exe
        58⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692515.exe
        58⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706609.exe
        59⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706656.exe
        59⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707265.exe
        60⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707437.exe
        60⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714062.exe
        61⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240714156.exe
        61⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717312.exe
        62⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240717359.exe
        62⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718843.exe
        63⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718937.exe
        63⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240720000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240720000.exe
        64⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240720671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240720671.exe
        64⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721015.exe
        65⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721078.exe
        65⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721578.exe
        66⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240721687.exe
        66⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722234.exe
        67⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722312.exe
        67⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722765.exe
        68⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722859.exe
        68⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723140.exe
        69⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658578.exe
        38⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659734.exe
        39⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659781.exe
        39⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664546.exe
        40⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664593.exe
        40⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664875.exe
        41⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665062.exe
        41⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665390.exe
        42⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665437.exe
        42⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665718.exe
        43⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668890.exe
        43⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669390.exe
        44⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669421.exe
        44⤵
        
        PID:3388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669703.exe
        45⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669968.exe
        45⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672046.exe
        46⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672171.exe
        46⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672625.exe
        47⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672687.exe
        47⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672968.exe
        48⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674984.exe
        48⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675187.exe
        49⤵
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675203.exe
        49⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675468.exe
        50⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675500.exe
        50⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675781.exe
        51⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675890.exe
        51⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676375.exe
        52⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678359.exe
        52⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678484.exe
        53⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678546.exe
        53⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678875.exe
        54⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678953.exe
        54⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679546.exe
        55⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679640.exe
        55⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683031.exe
        56⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683296.exe
        56⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683468.exe
        57⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240683546.exe
        57⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691890.exe
        51⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646968.exe
        36⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647171.exe
        37⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647203.exe
        37⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647468.exe
        38⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647515.exe
        38⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656375.exe
        39⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656406.exe
        39⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656562.exe
        40⤵
        
        PID:4188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656609.exe
        40⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656796.exe
        41⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656859.exe
        41⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657015.exe
        42⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657187.exe
        42⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657437.exe
        43⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657593.exe
        43⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657750.exe
        44⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657812.exe
        44⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658031.exe
        45⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658093.exe
        45⤵
        
        PID:3856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624953.exe
        23⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623750.exe
        20⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614953.exe
        9⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615281.exe
        10⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615453.exe
        10⤵
        
        PID:3104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615718.exe
        11⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615828.exe
        11⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617187.exe
        12⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625312.exe
        13⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637296.exe
        14⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617234.exe
        12⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617593.exe
        13⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618000.exe
        13⤵
        
        PID:1172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618531.exe
        14⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621921.exe
        16⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622265.exe
        17⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622359.exe
        17⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623078.exe
        18⤵
        
        PID:3828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623250.exe
        19⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623296.exe
        19⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623609.exe
        20⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623656.exe
        20⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623828.exe
        21⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623890.exe
        21⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624031.exe
        22⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624171.exe
        22⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624937.exe
        23⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625015.exe
        23⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619234.exe
        14⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619375.exe
        15⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619531.exe
        15⤵
        
        PID:3860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620562.exe
        16⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620921.exe
        16⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621328.exe
        17⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621546.exe
        17⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621703.exe
        18⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621750.exe
        18⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621937.exe
        19⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1096
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625000.exe
        21⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625046.exe
        21⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625421.exe
        22⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626015.exe
        23⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626296.exe
        23⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626515.exe
        24⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626531.exe
        24⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626765.exe
        25⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626953.exe
        25⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627312.exe
        26⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627390.exe
        26⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627687.exe
        27⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627750.exe
        27⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627937.exe
        28⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628000.exe
        28⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628640.exe
        29⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628828.exe
        29⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628937.exe
        30⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628984.exe
        30⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629406.exe
        31⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629687.exe
        31⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629859.exe
        32⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629968.exe
        32⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637234.exe
        22⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622140.exe
        19⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622375.exe
        20⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622875.exe
        20⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646750.exe
        11⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646687.exe
        11⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613937.exe
        7⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615000.exe
        8⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615156.exe
        8⤵
        
        PID:1016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615515.exe
        9⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615906.exe
        10⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617125.exe
        11⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617203.exe
        11⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617484.exe
        12⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617968.exe
        12⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618406.exe
        13⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618468.exe
        13⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618828.exe
        14⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619250.exe
        14⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619468.exe
        15⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620343.exe
        15⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620640.exe
        16⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621093.exe
        16⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621468.exe
        17⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621640.exe
        17⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621734.exe
        18⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621812.exe
        18⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625187.exe
        11⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625265.exe
        11⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625531.exe
        12⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625781.exe
        12⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626421.exe
        13⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626562.exe
        14⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626937.exe
        14⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627046.exe
        15⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627109.exe
        15⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627296.exe
        16⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627421.exe
        16⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626359.exe
        13⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615406.exe
        9⤵
        
        PID:1052
- C:\Users\Admin\AppData\Local\Temp\tmp240599640.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240599640.exe
  2⤵
  PID:1140

C:\Users\Admin\AppData\Local\Temp\tmp240599578.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599578.exe
1⤵
PID:3652

C:\Users\Admin\AppData\Local\Temp\tmp240599234.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599234.exe
1⤵
PID:1268

C:\Users\Admin\AppData\Local\Temp\tmp240599171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599171.exe
1⤵
PID:4684

C:\Users\Admin\AppData\Local\Temp\tmp240599031.exe
C:\Users\Admin\AppData\Local\Temp\tmp240599031.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:1184

C:\Users\Admin\AppData\Local\Temp\tmp240598890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598890.exe
1⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\tmp240598828.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598828.exe
1⤵
PID:692

C:\Users\Admin\AppData\Local\Temp\tmp240598796.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598796.exe
1⤵
PID:1188

C:\Users\Admin\AppData\Local\Temp\tmp240598343.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598343.exe
1⤵
PID:2188

C:\Users\Admin\AppData\Local\Temp\tmp240598328.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598328.exe
1⤵
PID:1428

C:\Users\Admin\AppData\Local\Temp\tmp240598265.exe
C:\Users\Admin\AppData\Local\Temp\tmp240598265.exe
1⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\tmp240597437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240597437.exe
1⤵
PID:3220

C:\Users\Admin\AppData\Local\Temp\tmp240596890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240596890.exe
1⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
PID:2216

C:\Users\Admin\AppData\Local\Temp\tmp240596781.exe
C:\Users\Admin\AppData\Local\Temp\tmp240596781.exe
1⤵
PID:2972

C:\Users\Admin\AppData\Local\Temp\tmp240595250.exe
C:\Users\Admin\AppData\Local\Temp\tmp240595250.exe
1⤵
PID:3640

C:\Users\Admin\AppData\Local\Temp\tmp240594437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240594437.exe
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:752

C:\Users\Admin\AppData\Local\Temp\tmp240591406.exe
C:\Users\Admin\AppData\Local\Temp\tmp240591406.exe
1⤵
- Executes dropped EXE
PID:3300

C:\Users\Admin\AppData\Local\Temp\tmp240602875.exe
C:\Users\Admin\AppData\Local\Temp\tmp240602875.exe
1⤵
PID:840

C:\Users\Admin\AppData\Local\Temp\tmp240604156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240604156.exe
1⤵
PID:2296
- C:\Users\Admin\AppData\Local\Temp\tmp240621828.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240621828.exe
  2⤵
  PID:1852

C:\Users\Admin\AppData\Local\Temp\tmp240610437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240610437.exe
1⤵
PID:2368

C:\Users\Admin\AppData\Local\Temp\tmp240615734.exe
C:\Users\Admin\AppData\Local\Temp\tmp240615734.exe
1⤵
PID:3608

C:\Users\Admin\AppData\Local\Temp\tmp240630093.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630093.exe
1⤵
PID:1928

C:\Users\Admin\AppData\Local\Temp\tmp240630140.exe
C:\Users\Admin\AppData\Local\Temp\tmp240630140.exe
1⤵
PID:1548
- C:\Users\Admin\AppData\Local\Temp\tmp240630359.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240630359.exe
  2⤵
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\tmp240630421.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240630421.exe
  2⤵
  PID:4088
- - C:\Users\Admin\AppData\Local\Temp\tmp240630671.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240630671.exe
    3⤵
    PID:4504
- - C:\Users\Admin\AppData\Local\Temp\tmp240630703.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240630703.exe
    3⤵
    PID:4344

C:\Users\Admin\AppData\Local\Temp\tmp240645984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645984.exe
1⤵
PID:4984
- C:\Users\Admin\AppData\Local\Temp\tmp240646265.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240646265.exe
  2⤵
  PID:3828
- - C:\Users\Admin\AppData\Local\Temp\tmp240646437.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240646437.exe
    3⤵
    PID:2280
- - C:\Users\Admin\AppData\Local\Temp\tmp240646515.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240646515.exe
    3⤵
    PID:1428
- C:\Users\Admin\AppData\Local\Temp\tmp240646203.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240646203.exe
  2⤵
  PID:4132

C:\Users\Admin\AppData\Local\Temp\tmp240645859.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645859.exe
1⤵
PID:4440

C:\Users\Admin\AppData\Local\Temp\tmp240658015.exe
C:\Users\Admin\AppData\Local\Temp\tmp240658015.exe
1⤵
PID:3356

C:\Users\Admin\AppData\Local\Temp\tmp240691390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240691390.exe
1⤵
PID:3900

C:\Users\Admin\AppData\Local\Temp\tmp240691703.exe
C:\Users\Admin\AppData\Local\Temp\tmp240691703.exe
1⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\tmp240714171.exe
C:\Users\Admin\AppData\Local\Temp\tmp240714171.exe
1⤵
PID:4884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240576203.exe

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240576203.exe

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240576500.exe

Filesize
67KB

MD5
388b8fbc36a8558587afc90fb23a3b99

SHA1
ed55ad0a7078651857bd8fc0eedd8b07f94594cc

SHA256
fefeac4c10bbe237cc6c861229ecaacbd2a366ac4fbd04a3862b62bd7a778093

SHA512
0a91f6fd90f3429a69c907d9f81420334be92407269df964b6619874aa241ec6aeb2c1920ac643ce604c7ea65b21cc80f0a09c722327b6c3b7be58f9e3029e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240576500.exe

Filesize
67KB

MD5
388b8fbc36a8558587afc90fb23a3b99

SHA1
ed55ad0a7078651857bd8fc0eedd8b07f94594cc

SHA256
fefeac4c10bbe237cc6c861229ecaacbd2a366ac4fbd04a3862b62bd7a778093

SHA512
0a91f6fd90f3429a69c907d9f81420334be92407269df964b6619874aa241ec6aeb2c1920ac643ce604c7ea65b21cc80f0a09c722327b6c3b7be58f9e3029e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240580890.exe

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240580890.exe

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240581140.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240581609.exe

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240581609.exe

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240581890.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240582250.exe

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240582250.exe

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240582390.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240583000.exe

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240583000.exe

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240583406.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240584156.exe

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240584156.exe

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240584250.exe

Filesize
2.9MB

MD5
ad3b253c193c3375bad1ac860bf2a239

SHA1
050ea3b19542ab15c5dda91d80bfa65265d56ff1

SHA256
a24fa77f30252022fbfcf11964a967317b7953fe40a9f06a422bc015d473b9d3

SHA512
e190722e3ac7aeaab1bef9140515331201453158d3879af713848e0b8667ff2f565c0d25b9cf345dc2ff78070054f83de8158ab7cc42745af01d4d3f7c44b8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240584250.exe

Filesize
2.9MB

MD5
ad3b253c193c3375bad1ac860bf2a239

SHA1
050ea3b19542ab15c5dda91d80bfa65265d56ff1

SHA256
a24fa77f30252022fbfcf11964a967317b7953fe40a9f06a422bc015d473b9d3

SHA512
e190722e3ac7aeaab1bef9140515331201453158d3879af713848e0b8667ff2f565c0d25b9cf345dc2ff78070054f83de8158ab7cc42745af01d4d3f7c44b8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240584437.exe

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240584437.exe

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240584687.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240584750.exe

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240584750.exe

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240585500.exe

Filesize
2.9MB

MD5
ad3b253c193c3375bad1ac860bf2a239

SHA1
050ea3b19542ab15c5dda91d80bfa65265d56ff1

SHA256
a24fa77f30252022fbfcf11964a967317b7953fe40a9f06a422bc015d473b9d3

SHA512
e190722e3ac7aeaab1bef9140515331201453158d3879af713848e0b8667ff2f565c0d25b9cf345dc2ff78070054f83de8158ab7cc42745af01d4d3f7c44b8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240585500.exe

Filesize
2.9MB

MD5
ad3b253c193c3375bad1ac860bf2a239

SHA1
050ea3b19542ab15c5dda91d80bfa65265d56ff1

SHA256
a24fa77f30252022fbfcf11964a967317b7953fe40a9f06a422bc015d473b9d3

SHA512
e190722e3ac7aeaab1bef9140515331201453158d3879af713848e0b8667ff2f565c0d25b9cf345dc2ff78070054f83de8158ab7cc42745af01d4d3f7c44b8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240585718.exe

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240585718.exe

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240586031.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240587265.exe

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240587265.exe

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240587421.exe

Filesize
2.9MB

MD5
ad3b253c193c3375bad1ac860bf2a239

SHA1
050ea3b19542ab15c5dda91d80bfa65265d56ff1

SHA256
a24fa77f30252022fbfcf11964a967317b7953fe40a9f06a422bc015d473b9d3

SHA512
e190722e3ac7aeaab1bef9140515331201453158d3879af713848e0b8667ff2f565c0d25b9cf345dc2ff78070054f83de8158ab7cc42745af01d4d3f7c44b8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240587421.exe

Filesize
2.9MB

MD5
ad3b253c193c3375bad1ac860bf2a239

SHA1
050ea3b19542ab15c5dda91d80bfa65265d56ff1

SHA256
a24fa77f30252022fbfcf11964a967317b7953fe40a9f06a422bc015d473b9d3

SHA512
e190722e3ac7aeaab1bef9140515331201453158d3879af713848e0b8667ff2f565c0d25b9cf345dc2ff78070054f83de8158ab7cc42745af01d4d3f7c44b8e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240587578.exe

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240587578.exe

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240587953.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588218.exe

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240588218.exe

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
2.7MB

MD5
c7bd3d3b6ffd8739b896473e2692bee9

SHA1
99eed8b01a89ab6d271f66c6429996e54bdeda7c

SHA256
a5357f86c837b2225e47b49a5c088dbbca525e938060285ca0fd501a8dbf7de7

SHA512
ea59b8ed0971cf734a8e280a2733787cc0560569bb6454a34593edfe321bcaec65d377215ab88ef9e6b7d0afded49fceb1700585223f422c68dd5d77249bbec9

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
5.6MB

MD5
e7e222c4b5ce5915b5e912826b451d50

SHA1
cb8e732bbf8528ecbf51492cd951e58005e1f8a4

SHA256
dddcb1e6d6be98281dbef6b1d413fcca436b41cfbf55c465ad1c4deabe421a15

SHA512
2e24d460db234bfb69d25e8d9ae39a83912c9a1dbb0e0b228c2bc9b910edf16ffa2f1db9ed7469c806ba16e67ee2fac65c5b3c850eaea5b221d519a839479350

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
5.6MB

MD5
e7e222c4b5ce5915b5e912826b451d50

SHA1
cb8e732bbf8528ecbf51492cd951e58005e1f8a4

SHA256
dddcb1e6d6be98281dbef6b1d413fcca436b41cfbf55c465ad1c4deabe421a15

SHA512
2e24d460db234bfb69d25e8d9ae39a83912c9a1dbb0e0b228c2bc9b910edf16ffa2f1db9ed7469c806ba16e67ee2fac65c5b3c850eaea5b221d519a839479350

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
5.6MB

MD5
e7e222c4b5ce5915b5e912826b451d50

SHA1
cb8e732bbf8528ecbf51492cd951e58005e1f8a4

SHA256
dddcb1e6d6be98281dbef6b1d413fcca436b41cfbf55c465ad1c4deabe421a15

SHA512
2e24d460db234bfb69d25e8d9ae39a83912c9a1dbb0e0b228c2bc9b910edf16ffa2f1db9ed7469c806ba16e67ee2fac65c5b3c850eaea5b221d519a839479350

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
5.6MB

MD5
e7e222c4b5ce5915b5e912826b451d50

SHA1
cb8e732bbf8528ecbf51492cd951e58005e1f8a4

SHA256
dddcb1e6d6be98281dbef6b1d413fcca436b41cfbf55c465ad1c4deabe421a15

SHA512
2e24d460db234bfb69d25e8d9ae39a83912c9a1dbb0e0b228c2bc9b910edf16ffa2f1db9ed7469c806ba16e67ee2fac65c5b3c850eaea5b221d519a839479350

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
5.6MB

MD5
e7e222c4b5ce5915b5e912826b451d50

SHA1
cb8e732bbf8528ecbf51492cd951e58005e1f8a4

SHA256
dddcb1e6d6be98281dbef6b1d413fcca436b41cfbf55c465ad1c4deabe421a15

SHA512
2e24d460db234bfb69d25e8d9ae39a83912c9a1dbb0e0b228c2bc9b910edf16ffa2f1db9ed7469c806ba16e67ee2fac65c5b3c850eaea5b221d519a839479350

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
2.9MB

MD5
ad3b253c193c3375bad1ac860bf2a239

SHA1
050ea3b19542ab15c5dda91d80bfa65265d56ff1

SHA256
a24fa77f30252022fbfcf11964a967317b7953fe40a9f06a422bc015d473b9d3

SHA512
e190722e3ac7aeaab1bef9140515331201453158d3879af713848e0b8667ff2f565c0d25b9cf345dc2ff78070054f83de8158ab7cc42745af01d4d3f7c44b8e4

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
2.9MB

MD5
ad3b253c193c3375bad1ac860bf2a239

SHA1
050ea3b19542ab15c5dda91d80bfa65265d56ff1

SHA256
a24fa77f30252022fbfcf11964a967317b7953fe40a9f06a422bc015d473b9d3

SHA512
e190722e3ac7aeaab1bef9140515331201453158d3879af713848e0b8667ff2f565c0d25b9cf345dc2ff78070054f83de8158ab7cc42745af01d4d3f7c44b8e4

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
2.9MB

MD5
ad3b253c193c3375bad1ac860bf2a239

SHA1
050ea3b19542ab15c5dda91d80bfa65265d56ff1

SHA256
a24fa77f30252022fbfcf11964a967317b7953fe40a9f06a422bc015d473b9d3

SHA512
e190722e3ac7aeaab1bef9140515331201453158d3879af713848e0b8667ff2f565c0d25b9cf345dc2ff78070054f83de8158ab7cc42745af01d4d3f7c44b8e4

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
2.9MB

MD5
ad3b253c193c3375bad1ac860bf2a239

SHA1
050ea3b19542ab15c5dda91d80bfa65265d56ff1

SHA256
a24fa77f30252022fbfcf11964a967317b7953fe40a9f06a422bc015d473b9d3

SHA512
e190722e3ac7aeaab1bef9140515331201453158d3879af713848e0b8667ff2f565c0d25b9cf345dc2ff78070054f83de8158ab7cc42745af01d4d3f7c44b8e4

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
2.9MB

MD5
ad3b253c193c3375bad1ac860bf2a239

SHA1
050ea3b19542ab15c5dda91d80bfa65265d56ff1

SHA256
a24fa77f30252022fbfcf11964a967317b7953fe40a9f06a422bc015d473b9d3

SHA512
e190722e3ac7aeaab1bef9140515331201453158d3879af713848e0b8667ff2f565c0d25b9cf345dc2ff78070054f83de8158ab7cc42745af01d4d3f7c44b8e4

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
memory/716-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/872-285-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/920-170-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/940-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1040-229-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1040-220-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1160-210-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1204-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1204-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1320-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1320-264-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1324-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1324-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1376-271-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1816-244-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1816-238-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1828-235-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1908-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1932-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1932-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1980-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2208-150-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2420-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2500-259-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2640-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2824-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3068-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3112-256-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3600-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3600-303-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3652-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3652-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3700-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3740-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3740-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3768-195-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3768-201-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3840-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3852-160-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3972-252-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3972-250-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4032-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4032-294-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4124-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4124-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4208-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4208-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4284-132-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4284-139-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4392-192-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4432-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4440-279-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4440-282-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4452-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4456-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4460-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4464-247-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4612-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4680-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4756-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4764-211-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4764-219-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4964-180-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5088-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download