beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

Analysis

max time kernel
160s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2022, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e.exe
Size

2.4MB
MD5

eea134df8c6fad7ef194105335555cf0
SHA1

6292cf1e7d49fd64281fc1dff4f1c663495ac1c4
SHA256

beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e
SHA512

5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226
SSDEEP

24576:HDyTFtjBDyTFtjBDyTFtjBDyTFtjTDyTFtjBDyTFtjRDyTFtjBDyTFtj7DyTFtjG:AtqtitqtYtqtitqt4tqtdtqtltqt

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
1696	notpad.exe
4752	tmp240601437.exe
1456	notpad.exe
4344	tmp240601812.exe
4572	tmp240602265.exe
4700	tmp240615843.exe
372	notpad.exe
4904	tmp240615453.exe
4580	tmp240603546.exe
1272	notpad.exe
1500	tmp240615687.exe
4912	tmp240604468.exe
4288	notpad.exe
3988	tmp240604906.exe
4284	tmp240616156.exe
3948	notpad.exe
1376	tmp240605453.exe
1764	tmp240617062.exe
4204	notpad.exe
2732	tmp240619125.exe
2968	notpad.exe
4116	tmp240608390.exe
4616	tmp240619812.exe
3060	tmp240608828.exe
3480	tmp240609078.exe
5084	tmp240608890.exe
1908	notpad.exe
1980	tmp240620328.exe
2052	tmp240609562.exe
2508	tmp240609906.exe
908	tmp240610000.exe
2588	notpad.exe
1140	tmp240610359.exe
1288	tmp240610500.exe
4984	tmp240610640.exe
3756	notpad.exe
2184	tmp240610671.exe
4056	tmp240611203.exe
4132	tmp240611421.exe
4128	tmp240611562.exe
2444	tmp240620734.exe
4720	tmp240621640.exe
2080	notpad.exe
5060	tmp240621953.exe
4072	tmp240612500.exe
4864	tmp240612718.exe
3684	notpad.exe
4472	tmp240612968.exe
4592	notpad.exe
1124	tmp240613859.exe
4752	tmp240613078.exe
1696	tmp240614093.exe
4768	notpad.exe
2960	tmp240615015.exe
3652	tmp240615218.exe
1792	tmp240614984.exe
372	notpad.exe
1212	tmp240615406.exe
4904	tmp240615453.exe
4464	tmp240615468.exe
4700	tmp240615843.exe
1396	tmp240615703.exe
3500	tmp240615781.exe
3144	notpad.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000022f6d-134.dat	upx
behavioral2/files/0x0007000000022f6d-133.dat	upx
behavioral2/files/0x000a000000022f5f-138.dat	upx
behavioral2/files/0x0007000000022f6d-141.dat	upx
behavioral2/memory/1696-142-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1456-143-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1696-146-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000a000000022f5f-150.dat	upx
behavioral2/memory/1456-154-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022f6d-156.dat	upx
behavioral2/memory/372-157-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000a000000022f5f-161.dat	upx
behavioral2/memory/372-165-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022f6d-167.dat	upx
behavioral2/memory/1272-168-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000a000000022f5f-172.dat	upx
behavioral2/memory/1272-176-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022f6d-178.dat	upx
behavioral2/memory/4288-186-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022f6d-188.dat	upx
behavioral2/files/0x000a000000022f5f-183.dat	upx
behavioral2/memory/3948-195-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000a000000022f5f-193.dat	upx
behavioral2/files/0x0006000000022f87-198.dat	upx
behavioral2/files/0x0006000000022f87-199.dat	upx
behavioral2/files/0x000a000000022f5f-203.dat	upx
behavioral2/memory/4204-205-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022f87-207.dat	upx
behavioral2/files/0x000a000000022f5f-215.dat	upx
behavioral2/memory/4204-214-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022f8b-224.dat	upx
behavioral2/memory/2968-226-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022f8b-223.dat	upx
behavioral2/memory/4116-225-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1908-230-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5084-229-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022f87-228.dat	upx
behavioral2/files/0x000a000000022f5f-235.dat	upx
behavioral2/memory/5084-241-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0006000000022f92-243.dat	upx
behavioral2/memory/908-251-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2588-249-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/908-248-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1908-244-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2588-254-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4128-260-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2184-261-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3756-258-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2184-263-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4128-266-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000022f83-211.dat	upx
behavioral2/files/0x0007000000022f83-210.dat	upx
behavioral2/memory/2080-270-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4864-271-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3684-273-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4592-279-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4864-277-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4592-283-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3684-285-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/372-298-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3144-299-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4904-297-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2960-296-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3144-300-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240635062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240652593.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240678968.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240605453.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240611203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240618750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240625453.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240658984.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240620671.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240636203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240646609.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240650500.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240668703.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240680437.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240626921.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240628156.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240653640.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240688468.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240615453.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240619812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240620328.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240620718.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240639312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240671796.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240615687.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240616421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240620953.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240625203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240629625.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240602265.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240626421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240633890.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240724546.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240610359.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240615218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240628968.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240726078.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240612500.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240620046.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240651859.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240669203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240619125.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240639437.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240674015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240615406.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240627453.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240630156.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240640421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240638078.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240689953.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240710375.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240617203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240661984.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240667765.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240684734.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240604906.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240622718.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240613078.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240612968.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240616062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240619328.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240693750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	tmp240722859.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240726078.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240613078.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240620718.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240639312.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240658984.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240674015.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240722859.exe
File created	C:\Windows\SysWOW64\notpad.exe	beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240602265.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240619125.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240626421.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240650500.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240650500.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240652593.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240722859.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240612968.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240617203.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240628156.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240628968.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240724546.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240629625.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240652593.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240653640.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240661984.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240619812.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240612500.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240625203.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240627453.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240661984.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240693750.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240722859.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240619812.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240610359.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240667765.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240710375.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240724546.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240611203.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240620046.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240625203.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240674015.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240604906.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240620671.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240622718.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240669203.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240635062.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240638078.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240667765.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240684734.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240613078.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240616421.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240626421.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240630156.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240689953.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240693750.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240726078.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240613078.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240626921.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240640421.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240640421.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240616062.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240667765.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240668703.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240732718.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240635062.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240618750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240619328.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240625203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240628968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240639312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240619125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240625453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240652593.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240615453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240629625.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240636203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240638078.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240724546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240604906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240620953.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240613078.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240674015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240678968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240689953.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240617203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240630156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240688468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240615687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240612500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240616062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240626421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240726078.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240612968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240615218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240626921.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240627453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240639437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240669203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240610359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240646609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240661984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240671796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240619812.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240611203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240620046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240628156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240650500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240684734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240620718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240622718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240658984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240710375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240615406.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240616421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240633890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240640421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240653640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240693750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240605453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240620328.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240601437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240602265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240635062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240667765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240668703.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240620671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240651859.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240680437.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4992 wrote to memory of 1696	4992	beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e.exe	81
PID 4992 wrote to memory of 1696	4992	beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e.exe	81
PID 4992 wrote to memory of 1696	4992	beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e.exe	81
PID 1696 wrote to memory of 4752	1696	notpad.exe	82
PID 1696 wrote to memory of 4752	1696	notpad.exe	82
PID 1696 wrote to memory of 4752	1696	notpad.exe	82
PID 4752 wrote to memory of 1456	4752	tmp240613078.exe	84
PID 4752 wrote to memory of 1456	4752	tmp240613078.exe	84
PID 4752 wrote to memory of 1456	4752	tmp240613078.exe	84
PID 1696 wrote to memory of 4344	1696	tmp240614093.exe	83
PID 1696 wrote to memory of 4344	1696	tmp240614093.exe	83
PID 1696 wrote to memory of 4344	1696	tmp240614093.exe	83
PID 1456 wrote to memory of 4572	1456	notpad.exe	86
PID 1456 wrote to memory of 4572	1456	notpad.exe	86
PID 1456 wrote to memory of 4572	1456	notpad.exe	86
PID 1456 wrote to memory of 4700	1456	notpad.exe	151
PID 1456 wrote to memory of 4700	1456	notpad.exe	151
PID 1456 wrote to memory of 4700	1456	notpad.exe	151
PID 4572 wrote to memory of 372	4572	tmp240602265.exe	138
PID 4572 wrote to memory of 372	4572	tmp240602265.exe	138
PID 4572 wrote to memory of 372	4572	tmp240602265.exe	138
PID 372 wrote to memory of 4904	372	notpad.exe	139
PID 372 wrote to memory of 4904	372	notpad.exe	139
PID 372 wrote to memory of 4904	372	notpad.exe	139
PID 372 wrote to memory of 4580	372	notpad.exe	89
PID 372 wrote to memory of 4580	372	notpad.exe	89
PID 372 wrote to memory of 4580	372	notpad.exe	89
PID 4904 wrote to memory of 1272	4904	tmp240615453.exe	90
PID 4904 wrote to memory of 1272	4904	tmp240615453.exe	90
PID 4904 wrote to memory of 1272	4904	tmp240615453.exe	90
PID 1272 wrote to memory of 1500	1272	notpad.exe	141
PID 1272 wrote to memory of 1500	1272	notpad.exe	141
PID 1272 wrote to memory of 1500	1272	notpad.exe	141
PID 1272 wrote to memory of 4912	1272	notpad.exe	93
PID 1272 wrote to memory of 4912	1272	notpad.exe	93
PID 1272 wrote to memory of 4912	1272	notpad.exe	93
PID 1500 wrote to memory of 4288	1500	tmp240615687.exe	94
PID 1500 wrote to memory of 4288	1500	tmp240615687.exe	94
PID 1500 wrote to memory of 4288	1500	tmp240615687.exe	94
PID 4288 wrote to memory of 3988	4288	notpad.exe	97
PID 4288 wrote to memory of 3988	4288	notpad.exe	97
PID 4288 wrote to memory of 3988	4288	notpad.exe	97
PID 4288 wrote to memory of 4284	4288	notpad.exe	145
PID 4288 wrote to memory of 4284	4288	notpad.exe	145
PID 4288 wrote to memory of 4284	4288	notpad.exe	145
PID 3988 wrote to memory of 3948	3988	tmp240604906.exe	95
PID 3988 wrote to memory of 3948	3988	tmp240604906.exe	95
PID 3988 wrote to memory of 3948	3988	tmp240604906.exe	95
PID 3948 wrote to memory of 1376	3948	notpad.exe	98
PID 3948 wrote to memory of 1376	3948	notpad.exe	98
PID 3948 wrote to memory of 1376	3948	notpad.exe	98
PID 3948 wrote to memory of 1764	3948	notpad.exe	156
PID 3948 wrote to memory of 1764	3948	notpad.exe	156
PID 3948 wrote to memory of 1764	3948	notpad.exe	156
PID 1376 wrote to memory of 4204	1376	tmp240605453.exe	100
PID 1376 wrote to memory of 4204	1376	tmp240605453.exe	100
PID 1376 wrote to memory of 4204	1376	tmp240605453.exe	100
PID 4204 wrote to memory of 2732	4204	notpad.exe	169
PID 4204 wrote to memory of 2732	4204	notpad.exe	169
PID 4204 wrote to memory of 2732	4204	notpad.exe	169
PID 2732 wrote to memory of 2968	2732	tmp240619125.exe	128
PID 2732 wrote to memory of 2968	2732	tmp240619125.exe	128
PID 2732 wrote to memory of 2968	2732	tmp240619125.exe	128
PID 4204 wrote to memory of 4116	4204	notpad.exe	102

C:\Users\Admin\AppData\Local\Temp\beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e.exe
"C:\Users\Admin\AppData\Local\Temp\beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4992
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Users\Admin\AppData\Local\Temp\tmp240601437.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240601437.exe
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:4752
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1456
    - - C:\Users\Admin\AppData\Local\Temp\tmp240602703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602703.exe
        5⤵
        
        PID:4700
    - - C:\Users\Admin\AppData\Local\Temp\tmp240602265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240602265.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4572
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603234.exe
        7⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603953.exe
        9⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240605093.exe
        11⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604906.exe
        11⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240604468.exe
        9⤵
        Executes dropped EXE
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240603546.exe
        7⤵
        Executes dropped EXE
        
        PID:4580
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      PID:4768
    - - C:\Users\Admin\AppData\Local\Temp\tmp240615218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615218.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:3652
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615687.exe
        7⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616171.exe
        7⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616796.exe
        8⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617031.exe
        8⤵
        
        PID:1900
    - - C:\Users\Admin\AppData\Local\Temp\tmp240615453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615453.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4904
      - C:\Users\Admin\AppData\Local\Temp\tmp240616046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616046.exe
        6⤵
        
        PID:1692
      - C:\Users\Admin\AppData\Local\Temp\tmp240615781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615781.exe
        6⤵
        Executes dropped EXE
        
        PID:3500
- - C:\Users\Admin\AppData\Local\Temp\tmp240601812.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240601812.exe
    3⤵
    - Executes dropped EXE
    PID:4344

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Users\Admin\AppData\Local\Temp\tmp240605453.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240605453.exe
  2⤵
  - Executes dropped EXE
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4204
  - - C:\Users\Admin\AppData\Local\Temp\tmp240608062.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240608062.exe
      4⤵
      PID:2732
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        
        PID:2968
  - - C:\Users\Admin\AppData\Local\Temp\tmp240608390.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240608390.exe
      4⤵
      Executes dropped EXE
      PID:4116
    - - C:\Users\Admin\AppData\Local\Temp\tmp240608828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240608828.exe
        5⤵
        Executes dropped EXE
        
        PID:3060
    - - C:\Users\Admin\AppData\Local\Temp\tmp240609078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240609078.exe
        5⤵
        Executes dropped EXE
        
        PID:3480
- C:\Users\Admin\AppData\Local\Temp\tmp240605875.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240605875.exe
  2⤵
  PID:1764

C:\Users\Admin\AppData\Local\Temp\tmp240608656.exe
C:\Users\Admin\AppData\Local\Temp\tmp240608656.exe
1⤵
PID:4616
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  PID:1908
- - C:\Users\Admin\AppData\Local\Temp\tmp240609562.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240609562.exe
    3⤵
    - Executes dropped EXE
    PID:2052
- - C:\Users\Admin\AppData\Local\Temp\tmp240610000.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240610000.exe
    3⤵
    - Executes dropped EXE
    PID:908
  - - C:\Users\Admin\AppData\Local\Temp\tmp240610359.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240610359.exe
      4⤵
      Executes dropped EXE
      Checks computer location settings
      Drops file in System32 directory
      Modifies registry class
      PID:1140
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        
        PID:3756
      - C:\Users\Admin\AppData\Local\Temp\tmp240611203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611203.exe
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Executes dropped EXE
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612500.exe
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4072
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613078.exe
        10⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614984.exe
        10⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615468.exe
        11⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615843.exe
        11⤵
        Executes dropped EXE
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612718.exe
        8⤵
        Executes dropped EXE
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612968.exe
        9⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4472
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        Executes dropped EXE
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614093.exe
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615015.exe
        11⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615703.exe
        12⤵
        Executes dropped EXE
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615406.exe
        12⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613859.exe
        9⤵
        Executes dropped EXE
        
        PID:1124
      - C:\Users\Admin\AppData\Local\Temp\tmp240611562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611562.exe
        6⤵
        Executes dropped EXE
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611828.exe
        7⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612421.exe
        7⤵
        
        PID:5060
  - - C:\Users\Admin\AppData\Local\Temp\tmp240610640.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240610640.exe
      4⤵
      Executes dropped EXE
      PID:4984

C:\Users\Admin\AppData\Local\Temp\tmp240608890.exe
C:\Users\Admin\AppData\Local\Temp\tmp240608890.exe
1⤵
- Executes dropped EXE
PID:5084
- C:\Users\Admin\AppData\Local\Temp\tmp240609250.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240609250.exe
  2⤵
  PID:1980
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    PID:2588
  - - C:\Users\Admin\AppData\Local\Temp\tmp240610500.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240610500.exe
      4⤵
      Executes dropped EXE
      PID:1288
  - - C:\Users\Admin\AppData\Local\Temp\tmp240610671.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240610671.exe
      4⤵
      Executes dropped EXE
      PID:2184
    - - C:\Users\Admin\AppData\Local\Temp\tmp240611421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611421.exe
        5⤵
        Executes dropped EXE
        
        PID:4132
    - - C:\Users\Admin\AppData\Local\Temp\tmp240611625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240611625.exe
        5⤵
        
        PID:2444
- C:\Users\Admin\AppData\Local\Temp\tmp240609906.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240609906.exe
  2⤵
  - Executes dropped EXE
  PID:2508

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:3900
- C:\Users\Admin\AppData\Local\Temp\tmp240616421.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240616421.exe
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  PID:1664
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:1060
  - - C:\Users\Admin\AppData\Local\Temp\tmp240617234.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240617234.exe
      4⤵
      PID:3520
  - - C:\Users\Admin\AppData\Local\Temp\tmp240618296.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240618296.exe
      4⤵
      PID:3788
    - - C:\Users\Admin\AppData\Local\Temp\tmp240619125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619125.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2732
    - - C:\Users\Admin\AppData\Local\Temp\tmp240618640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618640.exe
        5⤵
        
        PID:3588
- C:\Users\Admin\AppData\Local\Temp\tmp240616937.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240616937.exe
  2⤵
  PID:2312
- - C:\Users\Admin\AppData\Local\Temp\tmp240618281.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240618281.exe
    3⤵
    PID:856
- - C:\Users\Admin\AppData\Local\Temp\tmp240617203.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240617203.exe
    3⤵
    - Checks computer location settings
    - Drops file in System32 directory
    - Modifies registry class
    PID:532
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      PID:4428
    - - C:\Users\Admin\AppData\Local\Temp\tmp240618750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618750.exe
        5⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3392
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619328.exe
        7⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620390.exe
        9⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620718.exe
        10⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2452
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621437.exe
        12⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622000.exe
        12⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622515.exe
        13⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622359.exe
        13⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621187.exe
        10⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716343.exe
        11⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716531.exe
        11⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716781.exe
        12⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718562.exe
        12⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718796.exe
        13⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718875.exe
        13⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719031.exe
        14⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719218.exe
        14⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719281.exe
        15⤵
        
        PID:4192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719328.exe
        15⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620046.exe
        9⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619796.exe
        7⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620328.exe
        8⤵
        Executes dropped EXE
        Checks computer location settings
        Modifies registry class
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620468.exe
        8⤵
        
        PID:3148
    - - C:\Users\Admin\AppData\Local\Temp\tmp240619062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619062.exe
        5⤵
        
        PID:3968
      - C:\Users\Admin\AppData\Local\Temp\tmp240619218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619218.exe
        6⤵
        
        PID:4280
      - C:\Users\Admin\AppData\Local\Temp\tmp240619812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619812.exe
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4616

C:\Users\Admin\AppData\Local\Temp\tmp240616062.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616062.exe
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:2768

C:\Users\Admin\AppData\Local\Temp\tmp240616156.exe
C:\Users\Admin\AppData\Local\Temp\tmp240616156.exe
1⤵
- Executes dropped EXE
PID:4284
- C:\Users\Admin\AppData\Local\Temp\tmp240617062.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240617062.exe
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\Users\Admin\AppData\Local\Temp\tmp240616625.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240616625.exe
  2⤵
  PID:1392

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
- Executes dropped EXE
PID:3144

C:\Windows\SysWOW64\notpad.exe
"C:\Windows\system32\notpad.exe"
1⤵
PID:4120
- C:\Users\Admin\AppData\Local\Temp\tmp240620671.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240620671.exe
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  PID:2416
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:4476
  - - C:\Users\Admin\AppData\Local\Temp\tmp240620953.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240620953.exe
      4⤵
      Checks computer location settings
      Modifies registry class
      PID:1808
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:5020
  - - C:\Users\Admin\AppData\Local\Temp\tmp240621953.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240621953.exe
      4⤵
      Executes dropped EXE
      PID:5060
    - - C:\Users\Admin\AppData\Local\Temp\tmp240622390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622390.exe
        5⤵
        
        PID:5040
    - - C:\Users\Admin\AppData\Local\Temp\tmp240622484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622484.exe
        5⤵
        
        PID:4076
- C:\Users\Admin\AppData\Local\Temp\tmp240620734.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240620734.exe
  2⤵
  - Executes dropped EXE
  PID:2444
- - C:\Users\Admin\AppData\Local\Temp\tmp240621640.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240621640.exe
    3⤵
    - Executes dropped EXE
    PID:4720
- - C:\Users\Admin\AppData\Local\Temp\tmp240622265.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240622265.exe
    3⤵
    PID:1436

C:\Users\Admin\AppData\Local\Temp\tmp240622671.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622671.exe
1⤵
PID:4888
- C:\Users\Admin\AppData\Local\Temp\tmp240622734.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240622734.exe
  2⤵
  PID:4500
- C:\Users\Admin\AppData\Local\Temp\tmp240622718.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240622718.exe
  2⤵
  - Checks computer location settings
  - Drops file in System32 directory
  - Modifies registry class
  PID:1568
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    PID:4412
  - - C:\Users\Admin\AppData\Local\Temp\tmp240625203.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240625203.exe
      4⤵
      Checks computer location settings
      Drops file in System32 directory
      Modifies registry class
      PID:5004
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        
        PID:228
      - C:\Users\Admin\AppData\Local\Temp\tmp240625750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625750.exe
        6⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709453.exe
        7⤵
        
        PID:4564
      - C:\Users\Admin\AppData\Local\Temp\tmp240626031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626031.exe
        6⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626531.exe
        7⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650078.exe
        8⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626718.exe
        7⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626859.exe
        8⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626953.exe
        8⤵
        
        PID:3096
  - - C:\Users\Admin\AppData\Local\Temp\tmp240625312.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240625312.exe
      4⤵
      PID:4908
    - - C:\Users\Admin\AppData\Local\Temp\tmp240625453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625453.exe
        5⤵
        Checks computer location settings
        Modifies registry class
        
        PID:216
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626421.exe
        7⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626937.exe
        9⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627125.exe
        9⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627375.exe
        10⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627406.exe
        10⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627562.exe
        11⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627796.exe
        11⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626515.exe
        7⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626921.exe
        8⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4508
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627421.exe
        10⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627765.exe
        10⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628265.exe
        11⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628406.exe
        11⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628515.exe
        12⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628593.exe
        12⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627093.exe
        8⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627453.exe
        9⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1656
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628156.exe
        11⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2312
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628968.exe
        13⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3392
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629625.exe
        15⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3792
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630156.exe
        17⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633890.exe
        19⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2444
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635656.exe
        21⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635812.exe
        21⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637156.exe
        22⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637250.exe
        22⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638031.exe
        23⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638640.exe
        23⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639500.exe
        24⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639828.exe
        24⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640859.exe
        25⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643625.exe
        25⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644609.exe
        26⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644937.exe
        26⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645359.exe
        27⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645484.exe
        27⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634734.exe
        19⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635062.exe
        20⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636203.exe
        22⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1420
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638078.exe
        24⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3640
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639437.exe
        26⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4284
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641046.exe
        28⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643718.exe
        28⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644859.exe
        29⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645281.exe
        29⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646765.exe
        30⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647546.exe
        30⤵
        
        PID:3512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648718.exe
        31⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649890.exe
        31⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650187.exe
        32⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650578.exe
        33⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650796.exe
        33⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650984.exe
        34⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650953.exe
        34⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709437.exe
        28⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709531.exe
        28⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709843.exe
        29⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709953.exe
        29⤵
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710125.exe
        30⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710234.exe
        30⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716234.exe
        31⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710375.exe
        31⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719515.exe
        33⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723000.exe
        33⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723484.exe
        34⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723671.exe
        35⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723812.exe
        35⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723968.exe
        36⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723984.exe
        36⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724187.exe
        37⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724234.exe
        37⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724421.exe
        38⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724562.exe
        38⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724781.exe
        39⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724937.exe
        39⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725062.exe
        40⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725156.exe
        40⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725265.exe
        41⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725281.exe
        41⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725421.exe
        42⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725468.exe
        42⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725656.exe
        43⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725718.exe
        43⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725796.exe
        44⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725843.exe
        44⤵
        
        PID:2440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726000.exe
        45⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726109.exe
        46⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726187.exe
        46⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726265.exe
        47⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726312.exe
        47⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725968.exe
        45⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723453.exe
        34⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640000.exe
        26⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640171.exe
        27⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640812.exe
        27⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643671.exe
        28⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643750.exe
        28⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645218.exe
        29⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645562.exe
        29⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647531.exe
        30⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647656.exe
        31⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648218.exe
        31⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649921.exe
        32⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650234.exe
        32⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645687.exe
        30⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638109.exe
        24⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639484.exe
        25⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640203.exe
        25⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640343.exe
        26⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643546.exe
        26⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643765.exe
        27⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645015.exe
        27⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645578.exe
        28⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646609.exe
        29⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4064
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650031.exe
        31⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650250.exe
        31⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650359.exe
        32⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650718.exe
        32⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650968.exe
        33⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651015.exe
        33⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651156.exe
        34⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651218.exe
        34⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651328.exe
        35⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651359.exe
        35⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651421.exe
        36⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651437.exe
        36⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651703.exe
        37⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651734.exe
        37⤵
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651859.exe
        38⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4100
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652593.exe
        40⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3140
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653640.exe
        42⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2236
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658984.exe
        44⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:852
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662078.exe
        46⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662375.exe
        47⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662531.exe
        47⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662765.exe
        48⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662828.exe
        48⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663062.exe
        49⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663093.exe
        49⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663328.exe
        50⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663437.exe
        50⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663625.exe
        51⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663687.exe
        51⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663921.exe
        52⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663984.exe
        52⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667500.exe
        53⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667546.exe
        53⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667765.exe
        54⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        55⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668812.exe
        56⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668890.exe
        56⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669203.exe
        57⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1520
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671968.exe
        59⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673937.exe
        59⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676796.exe
        60⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677234.exe
        60⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677921.exe
        61⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678468.exe
        61⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680437.exe
        62⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3712
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        63⤵
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684640.exe
        64⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685609.exe
        64⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687984.exe
        65⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688734.exe
        65⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689875.exe
        66⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691015.exe
        66⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692062.exe
        67⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692171.exe
        67⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693703.exe
        68⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697703.exe
        69⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700218.exe
        70⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703296.exe
        70⤵
        
        PID:3144
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707796.exe
        71⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708531.exe
        71⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709140.exe
        72⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709203.exe
        72⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681250.exe
        62⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681953.exe
        63⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682843.exe
        63⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684625.exe
        64⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685046.exe
        64⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685843.exe
        65⤵
        
        PID:176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687968.exe
        65⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688656.exe
        66⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689328.exe
        66⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689953.exe
        67⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4888
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        68⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693750.exe
        69⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:5008
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        70⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240715296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240715296.exe
        71⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716390.exe
        71⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718734.exe
        72⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718937.exe
        72⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719156.exe
        73⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719312.exe
        73⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722859.exe
        74⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4036
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        75⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724546.exe
        76⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4900
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        77⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726078.exe
        78⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3336
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        79⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732781.exe
        80⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732812.exe
        80⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734250.exe
        81⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734328.exe
        81⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734656.exe
        82⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726156.exe
        78⤵
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732359.exe
        79⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732437.exe
        79⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732718.exe
        80⤵
        Drops file in System32 directory
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732843.exe
        80⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240733187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240733187.exe
        81⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240733250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240733250.exe
        81⤵
        
        PID:4764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734625.exe
        82⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724640.exe
        76⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725453.exe
        77⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725750.exe
        78⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725781.exe
        78⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725953.exe
        79⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726015.exe
        79⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240726359.exe
        80⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732453.exe
        80⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732734.exe
        81⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732796.exe
        81⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240732984.exe
        82⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240733046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240733046.exe
        82⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240733265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240733265.exe
        83⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734265.exe
        83⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734468.exe
        84⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240734531.exe
        84⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240725406.exe
        77⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697062.exe
        69⤵
        
        PID:3948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710000.exe
        70⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710171.exe
        70⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716468.exe
        71⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718656.exe
        72⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718671.exe
        72⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240718968.exe
        73⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719046.exe
        73⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719265.exe
        74⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719296.exe
        74⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240719484.exe
        75⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240722984.exe
        75⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723109.exe
        76⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723390.exe
        76⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723578.exe
        77⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723640.exe
        77⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723765.exe
        78⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240723875.exe
        78⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724015.exe
        79⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724062.exe
        79⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724156.exe
        80⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724203.exe
        80⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724390.exe
        81⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724500.exe
        81⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724578.exe
        82⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724625.exe
        82⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724750.exe
        83⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240724796.exe
        83⤵
        
        PID:1296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690546.exe
        67⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691046.exe
        68⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670328.exe
        57⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671796.exe
        58⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1048
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        59⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675125.exe
        60⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675312.exe
        60⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677171.exe
        61⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677203.exe
        61⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677968.exe
        62⤵
        
        PID:2280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678421.exe
        62⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679437.exe
        63⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680156.exe
        63⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681500.exe
        64⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681968.exe
        64⤵
        
        PID:4236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684609.exe
        65⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685000.exe
        65⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686640.exe
        66⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687890.exe
        66⤵
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688703.exe
        67⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690875.exe
        67⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691312.exe
        68⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692078.exe
        68⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693484.exe
        69⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693906.exe
        70⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697593.exe
        71⤵
        
        PID:4080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698890.exe
        71⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700265.exe
        72⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240703312.exe
        72⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706515.exe
        73⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707671.exe
        73⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692609.exe
        69⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716359.exe
        70⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673437.exe
        58⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674062.exe
        59⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674812.exe
        59⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675468.exe
        60⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676640.exe
        60⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677265.exe
        61⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677515.exe
        61⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678343.exe
        62⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678953.exe
        62⤵
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680125.exe
        63⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680468.exe
        63⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681343.exe
        64⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682093.exe
        64⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684437.exe
        65⤵
        
        PID:364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684578.exe
        65⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686625.exe
        66⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687328.exe
        67⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687437.exe
        67⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688500.exe
        68⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688609.exe
        68⤵
        
        PID:4004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689359.exe
        69⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689937.exe
        69⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685656.exe
        66⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693640.exe
        64⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697484.exe
        65⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240698687.exe
        66⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700109.exe
        66⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706453.exe
        67⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707750.exe
        67⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708359.exe
        68⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709046.exe
        68⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694250.exe
        65⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693500.exe
        64⤵
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668031.exe
        54⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668515.exe
        55⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668578.exe
        55⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668703.exe
        56⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2500
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        57⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670015.exe
        58⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670484.exe
        58⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674015.exe
        59⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3512
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        60⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677359.exe
        61⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677562.exe
        61⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678968.exe
        62⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4260
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        63⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681281.exe
        64⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681750.exe
        64⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684593.exe
        65⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685484.exe
        65⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686875.exe
        66⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687453.exe
        66⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688468.exe
        67⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688640.exe
        67⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689906.exe
        68⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691187.exe
        68⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692093.exe
        69⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693078.exe
        69⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693546.exe
        70⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694359.exe
        70⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700203.exe
        71⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705000.exe
        71⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707875.exe
        72⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708921.exe
        72⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709187.exe
        73⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709234.exe
        73⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679453.exe
        62⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681046.exe
        63⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681453.exe
        63⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682906.exe
        64⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684265.exe
        64⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686390.exe
        65⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687421.exe
        66⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687859.exe
        66⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688484.exe
        67⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691109.exe
        67⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692265.exe
        68⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693062.exe
        68⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693578.exe
        69⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693968.exe
        69⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697687.exe
        70⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240700125.exe
        70⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240705015.exe
        71⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706546.exe
        71⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707859.exe
        72⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709281.exe
        72⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709640.exe
        73⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709937.exe
        74⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710093.exe
        74⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685640.exe
        65⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675296.exe
        59⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676812.exe
        60⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677156.exe
        60⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678000.exe
        61⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709562.exe
        62⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678437.exe
        61⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680093.exe
        62⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680984.exe
        62⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682109.exe
        63⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684250.exe
        64⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684984.exe
        64⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685859.exe
        65⤵
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686453.exe
        65⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240687531.exe
        66⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688109.exe
        66⤵
        
        PID:3396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691218.exe
        67⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691625.exe
        67⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692484.exe
        68⤵
        
        PID:1488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693390.exe
        68⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668875.exe
        56⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669000.exe
        57⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669046.exe
        57⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670109.exe
        58⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670562.exe
        58⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659000.exe
        44⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659125.exe
        45⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659515.exe
        45⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659734.exe
        46⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659796.exe
        46⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660000.exe
        47⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661859.exe
        47⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662140.exe
        48⤵
        
        PID:4444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662343.exe
        48⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662484.exe
        49⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662546.exe
        49⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662796.exe
        50⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662875.exe
        50⤵
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663421.exe
        51⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663593.exe
        52⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663718.exe
        52⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663890.exe
        53⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663937.exe
        53⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666968.exe
        54⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667437.exe
        54⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667515.exe
        55⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667593.exe
        55⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710281.exe
        53⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663281.exe
        51⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653765.exe
        42⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653921.exe
        43⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658875.exe
        43⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659578.exe
        44⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659703.exe
        44⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659875.exe
        45⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660015.exe
        45⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661968.exe
        46⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662093.exe
        47⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662421.exe
        47⤵
        
        PID:3348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662593.exe
        48⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662718.exe
        48⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663000.exe
        49⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663109.exe
        49⤵
        
        PID:612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663312.exe
        50⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663453.exe
        51⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663562.exe
        51⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663703.exe
        52⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663796.exe
        52⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663250.exe
        50⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661937.exe
        46⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652640.exe
        40⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652859.exe
        41⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653046.exe
        41⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653187.exe
        42⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653234.exe
        42⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653359.exe
        43⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653421.exe
        43⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653515.exe
        44⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653562.exe
        44⤵
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653656.exe
        45⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653703.exe
        45⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653812.exe
        46⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653843.exe
        46⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658906.exe
        47⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659250.exe
        47⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659343.exe
        48⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659406.exe
        48⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659546.exe
        49⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659609.exe
        49⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651875.exe
        38⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647562.exe
        29⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648109.exe
        30⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648187.exe
        30⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636890.exe
        22⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637203.exe
        23⤵
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637359.exe
        23⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639468.exe
        24⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640125.exe
        24⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643578.exe
        25⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643687.exe
        25⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645203.exe
        26⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645390.exe
        27⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645671.exe
        27⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647593.exe
        28⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647953.exe
        28⤵
        
        PID:4472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693796.exe
        27⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644843.exe
        26⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693765.exe
        22⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635781.exe
        20⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636859.exe
        21⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637343.exe
        21⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639312.exe
        22⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1396
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639984.exe
        24⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640312.exe
        24⤵
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643703.exe
        25⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644703.exe
        25⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645062.exe
        26⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645296.exe
        26⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647234.exe
        27⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648031.exe
        27⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648125.exe
        28⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648234.exe
        28⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649937.exe
        29⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650156.exe
        29⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650500.exe
        30⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3624
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651718.exe
        32⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651750.exe
        32⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651968.exe
        33⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651984.exe
        33⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652125.exe
        34⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652156.exe
        34⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652312.exe
        35⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710328.exe
        36⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240715234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240715234.exe
        37⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240716406.exe
        37⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710250.exe
        36⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652343.exe
        35⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652421.exe
        36⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652453.exe
        36⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652531.exe
        37⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652578.exe
        37⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652718.exe
        38⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652750.exe
        38⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652812.exe
        39⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652968.exe
        39⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653171.exe
        40⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653218.exe
        40⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650625.exe
        30⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639515.exe
        22⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640046.exe
        23⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640218.exe
        23⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640421.exe
        24⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1104
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645500.exe
        26⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645703.exe
        27⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647609.exe
        27⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649859.exe
        28⤵
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650046.exe
        29⤵
        
        PID:3440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650109.exe
        29⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650281.exe
        30⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650406.exe
        30⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650562.exe
        31⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650640.exe
        31⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651265.exe
        32⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650859.exe
        32⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648203.exe
        28⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643640.exe
        24⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644640.exe
        25⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644921.exe
        25⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630203.exe
        17⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630265.exe
        18⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630359.exe
        18⤵
        
        PID:1332
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633453.exe
        19⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633828.exe
        19⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635468.exe
        20⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635859.exe
        20⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636843.exe
        21⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637265.exe
        21⤵
        
        PID:3904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638203.exe
        22⤵
        
        PID:1216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639250.exe
        22⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629640.exe
        15⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629703.exe
        16⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629750.exe
        16⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629859.exe
        17⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629890.exe
        17⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629953.exe
        18⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645421.exe
        19⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629984.exe
        18⤵
        
        PID:800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630046.exe
        19⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630062.exe
        19⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628984.exe
        13⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629140.exe
        14⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629156.exe
        14⤵
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629234.exe
        15⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629250.exe
        15⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629343.exe
        16⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629375.exe
        16⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628250.exe
        11⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628359.exe
        12⤵
        
        PID:1336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628453.exe
        12⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628562.exe
        13⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628609.exe
        13⤵
        
        PID:3588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627687.exe
        9⤵
        
        PID:3488
    - - C:\Users\Admin\AppData\Local\Temp\tmp240625968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625968.exe
        5⤵
        
        PID:4768
      - C:\Users\Admin\AppData\Local\Temp\tmp240626406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626406.exe
        6⤵
        
        PID:1264
      - C:\Users\Admin\AppData\Local\Temp\tmp240626750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626750.exe
        6⤵
        
        PID:4704

C:\Users\Admin\AppData\Local\Temp\tmp240622609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240622609.exe
1⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\tmp240645437.exe
C:\Users\Admin\AppData\Local\Temp\tmp240645437.exe
1⤵
PID:3160

C:\Users\Admin\AppData\Local\Temp\tmp240661984.exe
C:\Users\Admin\AppData\Local\Temp\tmp240661984.exe
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
PID:3336
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  PID:2440
- - C:\Users\Admin\AppData\Local\Temp\tmp240667625.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240667625.exe
    3⤵
    PID:1208
- - C:\Users\Admin\AppData\Local\Temp\tmp240667750.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240667750.exe
    3⤵
    PID:4280
  - - C:\Users\Admin\AppData\Local\Temp\tmp240668562.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240668562.exe
      4⤵
      PID:1888
  - - C:\Users\Admin\AppData\Local\Temp\tmp240668656.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240668656.exe
      4⤵
      PID:3088
    - - C:\Users\Admin\AppData\Local\Temp\tmp240668984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668984.exe
        5⤵
        
        PID:3984
    - - C:\Users\Admin\AppData\Local\Temp\tmp240669015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669015.exe
        5⤵
        
        PID:1140
      - C:\Users\Admin\AppData\Local\Temp\tmp240670296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670296.exe
        6⤵
        
        PID:4468
      - C:\Users\Admin\AppData\Local\Temp\tmp240671843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671843.exe
        6⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674031.exe
        7⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674671.exe
        7⤵
        
        PID:176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675281.exe
        8⤵
        
        PID:1272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676609.exe
        9⤵
        
        PID:4664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676656.exe
        9⤵
        
        PID:1264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677281.exe
        10⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679546.exe
        12⤵
        
        PID:2204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680062.exe
        12⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681187.exe
        13⤵
        
        PID:856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681421.exe
        13⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684234.exe
        14⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684734.exe
        15⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3540
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688750.exe
        17⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689343.exe
        17⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690578.exe
        18⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691546.exe
        18⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240693296.exe
        19⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240694234.exe
        20⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240697640.exe
        21⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240699421.exe
        21⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240706468.exe
        22⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240707656.exe
        22⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240708625.exe
        23⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240709093.exe
        23⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710078.exe
        24⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240710343.exe
        25⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692453.exe
        19⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685015.exe
        15⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686703.exe
        16⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686890.exe
        16⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688125.exe
        17⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240688515.exe
        17⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240689453.exe
        18⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691031.exe
        19⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240691265.exe
        20⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240692562.exe
        20⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240690906.exe
        19⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682718.exe
        14⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677546.exe
        10⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678375.exe
        11⤵
        
        PID:4008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678859.exe
        11⤵
        
        PID:3900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680078.exe
        12⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680203.exe
        12⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681015.exe
        13⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681906.exe
        13⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682890.exe
        14⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240684312.exe
        14⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685031.exe
        15⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240685562.exe
        15⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686437.exe
        16⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240686843.exe
        16⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674859.exe
        8⤵
        
        PID:1216

C:\Users\Admin\AppData\Local\Temp\tmp240681937.exe
C:\Users\Admin\AppData\Local\Temp\tmp240681937.exe
1⤵
PID:3772

C:\Users\Admin\AppData\Local\Temp\tmp240689390.exe
C:\Users\Admin\AppData\Local\Temp\tmp240689390.exe
1⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\tmp240693718.exe
C:\Users\Admin\AppData\Local\Temp\tmp240693718.exe
1⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\tmp240693812.exe
C:\Users\Admin\AppData\Local\Temp\tmp240693812.exe
1⤵
PID:616
- C:\Users\Admin\AppData\Local\Temp\tmp240694328.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240694328.exe
  2⤵
  PID:4032
- C:\Users\Admin\AppData\Local\Temp\tmp240697718.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240697718.exe
  2⤵
  PID:1984
- - C:\Users\Admin\AppData\Local\Temp\tmp240700171.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240700171.exe
    3⤵
    PID:1684
- - C:\Users\Admin\AppData\Local\Temp\tmp240703265.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240703265.exe
    3⤵
    PID:4252

C:\Users\Admin\AppData\Local\Temp\tmp240693515.exe
C:\Users\Admin\AppData\Local\Temp\tmp240693515.exe
1⤵
PID:1864

C:\Users\Admin\AppData\Local\Temp\tmp240697609.exe
C:\Users\Admin\AppData\Local\Temp\tmp240697609.exe
1⤵
PID:4248

C:\Users\Admin\AppData\Local\Temp\tmp240709484.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709484.exe
1⤵
PID:4848
- C:\Users\Admin\AppData\Local\Temp\tmp240709765.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240709765.exe
  2⤵
  PID:3004
- - C:\Users\Admin\AppData\Local\Temp\tmp240709968.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240709968.exe
    3⤵
    PID:1500
- - C:\Users\Admin\AppData\Local\Temp\tmp240710046.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240710046.exe
    3⤵
    PID:1832
- C:\Users\Admin\AppData\Local\Temp\tmp240709703.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240709703.exe
  2⤵
  PID:612

C:\Users\Admin\AppData\Local\Temp\tmp240709421.exe
C:\Users\Admin\AppData\Local\Temp\tmp240709421.exe
1⤵
PID:2764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240601437.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240601437.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240601812.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240602265.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240602265.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240602703.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240603234.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240603234.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240603546.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240603953.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240603953.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240604468.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240604906.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240604906.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240605093.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240605453.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240605453.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240605875.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240608062.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240608062.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240608390.exe

Filesize
2.5MB

MD5
a15323dd0ffe650101d38287143c1c2c

SHA1
aa5f32618fc132bfc5d70282b4c18380b0afbcdb

SHA256
0549cbb5a580e0fce50e022894225578ad6bed21ddc1618ae6ebf59c88d1e965

SHA512
ff454e31321f63ab19bf8c0e6e2bd9211eb8ffc9e3eba46cb665e9555340e28dc5d1c6ff2201f191646937c7e1574edf851fb6c32fdcc8342f71e672070de36b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240608390.exe

Filesize
2.5MB

MD5
a15323dd0ffe650101d38287143c1c2c

SHA1
aa5f32618fc132bfc5d70282b4c18380b0afbcdb

SHA256
0549cbb5a580e0fce50e022894225578ad6bed21ddc1618ae6ebf59c88d1e965

SHA512
ff454e31321f63ab19bf8c0e6e2bd9211eb8ffc9e3eba46cb665e9555340e28dc5d1c6ff2201f191646937c7e1574edf851fb6c32fdcc8342f71e672070de36b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240608656.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240608656.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240608828.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240608828.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240608890.exe

Filesize
2.5MB

MD5
a15323dd0ffe650101d38287143c1c2c

SHA1
aa5f32618fc132bfc5d70282b4c18380b0afbcdb

SHA256
0549cbb5a580e0fce50e022894225578ad6bed21ddc1618ae6ebf59c88d1e965

SHA512
ff454e31321f63ab19bf8c0e6e2bd9211eb8ffc9e3eba46cb665e9555340e28dc5d1c6ff2201f191646937c7e1574edf851fb6c32fdcc8342f71e672070de36b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240608890.exe

Filesize
2.5MB

MD5
a15323dd0ffe650101d38287143c1c2c

SHA1
aa5f32618fc132bfc5d70282b4c18380b0afbcdb

SHA256
0549cbb5a580e0fce50e022894225578ad6bed21ddc1618ae6ebf59c88d1e965

SHA512
ff454e31321f63ab19bf8c0e6e2bd9211eb8ffc9e3eba46cb665e9555340e28dc5d1c6ff2201f191646937c7e1574edf851fb6c32fdcc8342f71e672070de36b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240609078.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240609250.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240609250.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240609562.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240609562.exe

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240609906.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240610000.exe

Filesize
2.5MB

MD5
a15323dd0ffe650101d38287143c1c2c

SHA1
aa5f32618fc132bfc5d70282b4c18380b0afbcdb

SHA256
0549cbb5a580e0fce50e022894225578ad6bed21ddc1618ae6ebf59c88d1e965

SHA512
ff454e31321f63ab19bf8c0e6e2bd9211eb8ffc9e3eba46cb665e9555340e28dc5d1c6ff2201f191646937c7e1574edf851fb6c32fdcc8342f71e672070de36b

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
1024KB

MD5
a38398e80d5d555b465188145a206978

SHA1
a42cb31cc636d6881af2e75947489554fce6cb7e

SHA256
02598e7a4377a2649bfaabc9503bcd32629d8d09ef1aeea2cc6543bc57e14d3d

SHA512
62db64eb4d4f00c27b08f8bfa5c7077ccf91d8e3ca0425731e0c586de34b9ec064f87a2014edc455ee38c054e57b9540fd44ac64f11e328f847253b4355a8d5a

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
2.4MB

MD5
65208115be86242665db31cde098b846

SHA1
a084409828fd5d2bdc73fd96413580778211577b

SHA256
f579fdec39e2802ad2e5dda244239ee5824f0a1a2dff47a01eb4cb44364a05ef

SHA512
316298ff984cb3fa31ebb6c0fe0675546ab0d25ad4353fa1c832a54b4dba09a137054dfbecf5dbb2af6d9003758994cb2976dc2b3be0a459f2be7dc37f382963

Download Submit
C:\Windows\SysWOW64\fsb.tmp

Filesize
2.4MB

MD5
eea134df8c6fad7ef194105335555cf0

SHA1
6292cf1e7d49fd64281fc1dff4f1c663495ac1c4

SHA256
beaf286caea5b79b7eb67b56e196b54ff49022bc683a419d527f099d66d4d12e

SHA512
5a77ba3d7315aa6c6d7b308146b73f1ca0f7d5748e67aac54f61e4b23ebe28ab0a18e648da759ede8f79f3b3d8cc92c7ba71af4751677fe371e9b4aae2db2226

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
4.9MB

MD5
59726c15958ebaff8677b3cb0ec9152d

SHA1
e98f0301e0a5e4ff05aa06ae1a2e3776e3fa297a

SHA256
8291a76805a0f1c2854fb974f1d1c1544879431380177cf333812b466de068c9

SHA512
c605641fd99524cd2e7b86153647b352fd8cac57ccaa46711a13788aa8377adbfe517cd6a164a4bc2b2c3a9c940a18bfccd47b5e1614b11f7e312a76b5392e51

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
4.9MB

MD5
59726c15958ebaff8677b3cb0ec9152d

SHA1
e98f0301e0a5e4ff05aa06ae1a2e3776e3fa297a

SHA256
8291a76805a0f1c2854fb974f1d1c1544879431380177cf333812b466de068c9

SHA512
c605641fd99524cd2e7b86153647b352fd8cac57ccaa46711a13788aa8377adbfe517cd6a164a4bc2b2c3a9c940a18bfccd47b5e1614b11f7e312a76b5392e51

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
4.9MB

MD5
59726c15958ebaff8677b3cb0ec9152d

SHA1
e98f0301e0a5e4ff05aa06ae1a2e3776e3fa297a

SHA256
8291a76805a0f1c2854fb974f1d1c1544879431380177cf333812b466de068c9

SHA512
c605641fd99524cd2e7b86153647b352fd8cac57ccaa46711a13788aa8377adbfe517cd6a164a4bc2b2c3a9c940a18bfccd47b5e1614b11f7e312a76b5392e51

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
4.9MB

MD5
59726c15958ebaff8677b3cb0ec9152d

SHA1
e98f0301e0a5e4ff05aa06ae1a2e3776e3fa297a

SHA256
8291a76805a0f1c2854fb974f1d1c1544879431380177cf333812b466de068c9

SHA512
c605641fd99524cd2e7b86153647b352fd8cac57ccaa46711a13788aa8377adbfe517cd6a164a4bc2b2c3a9c940a18bfccd47b5e1614b11f7e312a76b5392e51

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
2.5MB

MD5
a15323dd0ffe650101d38287143c1c2c

SHA1
aa5f32618fc132bfc5d70282b4c18380b0afbcdb

SHA256
0549cbb5a580e0fce50e022894225578ad6bed21ddc1618ae6ebf59c88d1e965

SHA512
ff454e31321f63ab19bf8c0e6e2bd9211eb8ffc9e3eba46cb665e9555340e28dc5d1c6ff2201f191646937c7e1574edf851fb6c32fdcc8342f71e672070de36b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
2.5MB

MD5
a15323dd0ffe650101d38287143c1c2c

SHA1
aa5f32618fc132bfc5d70282b4c18380b0afbcdb

SHA256
0549cbb5a580e0fce50e022894225578ad6bed21ddc1618ae6ebf59c88d1e965

SHA512
ff454e31321f63ab19bf8c0e6e2bd9211eb8ffc9e3eba46cb665e9555340e28dc5d1c6ff2201f191646937c7e1574edf851fb6c32fdcc8342f71e672070de36b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
2.5MB

MD5
a15323dd0ffe650101d38287143c1c2c

SHA1
aa5f32618fc132bfc5d70282b4c18380b0afbcdb

SHA256
0549cbb5a580e0fce50e022894225578ad6bed21ddc1618ae6ebf59c88d1e965

SHA512
ff454e31321f63ab19bf8c0e6e2bd9211eb8ffc9e3eba46cb665e9555340e28dc5d1c6ff2201f191646937c7e1574edf851fb6c32fdcc8342f71e672070de36b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
2.5MB

MD5
a15323dd0ffe650101d38287143c1c2c

SHA1
aa5f32618fc132bfc5d70282b4c18380b0afbcdb

SHA256
0549cbb5a580e0fce50e022894225578ad6bed21ddc1618ae6ebf59c88d1e965

SHA512
ff454e31321f63ab19bf8c0e6e2bd9211eb8ffc9e3eba46cb665e9555340e28dc5d1c6ff2201f191646937c7e1574edf851fb6c32fdcc8342f71e672070de36b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
2.5MB

MD5
a15323dd0ffe650101d38287143c1c2c

SHA1
aa5f32618fc132bfc5d70282b4c18380b0afbcdb

SHA256
0549cbb5a580e0fce50e022894225578ad6bed21ddc1618ae6ebf59c88d1e965

SHA512
ff454e31321f63ab19bf8c0e6e2bd9211eb8ffc9e3eba46cb665e9555340e28dc5d1c6ff2201f191646937c7e1574edf851fb6c32fdcc8342f71e672070de36b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
2.5MB

MD5
a15323dd0ffe650101d38287143c1c2c

SHA1
aa5f32618fc132bfc5d70282b4c18380b0afbcdb

SHA256
0549cbb5a580e0fce50e022894225578ad6bed21ddc1618ae6ebf59c88d1e965

SHA512
ff454e31321f63ab19bf8c0e6e2bd9211eb8ffc9e3eba46cb665e9555340e28dc5d1c6ff2201f191646937c7e1574edf851fb6c32fdcc8342f71e672070de36b

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
2.5MB

MD5
a15323dd0ffe650101d38287143c1c2c

SHA1
aa5f32618fc132bfc5d70282b4c18380b0afbcdb

SHA256
0549cbb5a580e0fce50e022894225578ad6bed21ddc1618ae6ebf59c88d1e965

SHA512
ff454e31321f63ab19bf8c0e6e2bd9211eb8ffc9e3eba46cb665e9555340e28dc5d1c6ff2201f191646937c7e1574edf851fb6c32fdcc8342f71e672070de36b

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
memory/372-165-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/372-301-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/372-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/372-157-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/396-318-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/396-315-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/908-251-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/908-248-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/964-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/964-317-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1060-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1060-306-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1272-168-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1272-176-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1456-143-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1456-154-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1576-311-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1576-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1696-146-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1696-142-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1792-295-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1908-244-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1908-230-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2080-270-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2184-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2184-261-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2312-304-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2312-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2588-249-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2588-254-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2960-296-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2968-226-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3088-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3144-299-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3144-300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3552-322-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3684-285-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3684-273-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3756-258-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3788-310-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3900-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3948-195-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3968-313-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3968-312-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4116-225-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4120-323-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4120-320-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4128-260-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4128-266-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4204-214-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4204-205-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4284-302-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4288-186-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4336-303-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4428-309-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4476-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4592-279-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4592-283-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4768-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4864-277-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4864-271-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4904-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5084-229-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5084-241-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download