0564485a47dcd739fe9a79f85ccc311bae4ed21bf5860011d6000b4cc4591c92

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
11/07/2024, 02:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

374b4a38a4cc8d687c87b0868cb71b90_JaffaCakes118.exe
Size

828KB
MD5

374b4a38a4cc8d687c87b0868cb71b90
SHA1

48a4c62588952da4e6f8e443174d05bb7d66a318
SHA256

0564485a47dcd739fe9a79f85ccc311bae4ed21bf5860011d6000b4cc4591c92
SHA512

55dcc8854e7f4ae1cced372c2adbe166fffadbedaf64c3b849b2d54eb52b8d4ffa692260f679840ea7e611af02d7ff5ee9a09bce813bf240be958c6da7ca82d5
SSDEEP

24576:ZDyTFtjSDyTFtjsDyTFtjSDyTFtjODyo1tj:utztZtztUt

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 62 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240640593.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240642203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240646625.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240646765.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240647312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240643328.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240646125.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240643921.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240644140.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240648421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240642687.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240643671.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240644421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240645687.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240646468.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240639546.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240642546.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240644843.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240648953.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240638109.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240639890.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240640406.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240644031.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240647000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240648109.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240637718.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240642812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240647765.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240648546.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240637109.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240641609.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240647437.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240647921.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240642953.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240644703.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240645312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240647578.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240637921.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240642031.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240638468.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240641218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240641453.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240644609.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240647140.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240639687.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240641859.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240646281.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240643796.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240644281.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240645109.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240645890.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240648265.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240638265.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240639312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240640046.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240640234.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240642406.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240643109.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240638656.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240640828.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240641046.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240648671.exe

Executes dropped EXE 64 IoCs

pid	Process
1892	tmp240637109.exe
3064	tmp240637125.exe
4976	notpad.exe
1856	tmp240637718.exe
3360	tmp240637734.exe
4344	notpad.exe
5016	tmp240637921.exe
1868	tmp240637937.exe
2116	notpad.exe
4868	tmp240638109.exe
4372	tmp240638125.exe
4676	notpad.exe
1064	tmp240638265.exe
4720	tmp240638312.exe
4956	notpad.exe
996	tmp240638468.exe
2820	tmp240638500.exe
2972	notpad.exe
4728	tmp240638656.exe
3232	tmp240638671.exe
3544	notpad.exe
4800	tmp240639312.exe
1084	tmp240639328.exe
2956	tmp240639390.exe
2672	tmp240639421.exe
3772	notpad.exe
4888	tmp240639500.exe
4428	tmp240639515.exe
4496	tmp240639546.exe
2024	tmp240639578.exe
4716	notpad.exe
3660	tmp240639687.exe
4528	tmp240639703.exe
4292	tmp240639765.exe
4556	tmp240639781.exe
3516	notpad.exe
4396	tmp240639890.exe
2272	tmp240639906.exe
2592	tmp240639937.exe
4072	tmp240639953.exe
4024	notpad.exe
1060	tmp240640046.exe
2116	tmp240640062.exe
3464	tmp240640093.exe
2740	tmp240640109.exe
3816	tmp240640171.exe
4720	tmp240640187.exe
3016	notpad.exe
4452	tmp240640234.exe
3740	tmp240640250.exe
996	tmp240640296.exe
968	tmp240640328.exe
3276	tmp240640359.exe
3784	tmp240640375.exe
2716	notpad.exe
2884	tmp240640406.exe
3796	tmp240640421.exe
4364	tmp240640437.exe
1948	tmp240640468.exe
2672	tmp240640515.exe
3212	tmp240640546.exe
4800	notpad.exe
5024	tmp240640609.exe
4820	tmp240640593.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/544-0-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/544-12-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x00070000000234c5-24.dat	upx
behavioral2/memory/4976-54-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x00070000000234c1-42.dat	upx
behavioral2/memory/4344-58-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4344-77-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2116-99-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4676-103-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4676-122-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4956-144-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2972-148-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2972-164-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x00080000000234c5-175.dat	upx
behavioral2/memory/3544-177-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3544-199-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1084-210-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3772-218-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4528-263-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4528-272-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4716-262-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4428-243-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3772-225-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3516-285-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2272-286-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2272-297-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4024-316-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2116-319-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2116-330-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2740-332-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2740-343-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3016-347-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3740-357-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3016-362-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3740-370-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/968-371-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/968-377-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3784-399-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1948-403-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2716-402-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1948-411-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3212-412-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4800-416-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5024-421-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3212-420-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5024-437-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4800-445-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4432-455-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1116-452-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1116-476-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5084-477-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5084-488-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1856-492-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4136-495-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4020-504-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4948-507-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1760-505-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4660-525-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1760-530-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4948-527-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1060-540-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4180-542-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4660-539-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2028-561-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240639546.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240642406.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240642406.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240642687.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240645890.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240646125.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240638109.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240639312.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240647140.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240641859.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240643328.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240640046.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240641046.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240647312.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240648265.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240637921.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240641218.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240646468.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240647765.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240642687.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240644843.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240642546.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240643671.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240646468.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240648265.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240648953.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240639890.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240641609.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240640828.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240641046.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240643921.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240646281.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240647000.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240648546.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240639687.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240639687.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240642812.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240644140.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240645687.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240638265.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240642546.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240643109.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240646125.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240647000.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240647312.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240648109.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240649125.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240639890.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240640234.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240642546.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240642687.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240645109.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240638468.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240641218.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240644031.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240644031.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240640593.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240641859.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240643328.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240643796.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240643921.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240638468.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240642953.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240639546.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 63 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240646625.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240648546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240637718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240641046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240643109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240643921.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240644703.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240639312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240640828.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240642812.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240644843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240645890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240647140.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240649125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240639890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240643328.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240644140.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240647000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240648265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240638265.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240640406.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240642031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240644421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240648109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240638656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240642687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240644031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240644281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240646125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240647312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240647921.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240639546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240648671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240641453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240646281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240637109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240640046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240647437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240647765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240638109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240642406.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240645687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240638468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240641218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240641609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240642953.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240643796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240646468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240639687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240640593.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240644609.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240645312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240647578.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240648421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240640234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240645109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240648953.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240637921.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240642546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240641859.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240642203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240643671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240646765.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 1892	544	374b4a38a4cc8d687c87b0868cb71b90_JaffaCakes118.exe	83
PID 544 wrote to memory of 1892	544	374b4a38a4cc8d687c87b0868cb71b90_JaffaCakes118.exe	83
PID 544 wrote to memory of 1892	544	374b4a38a4cc8d687c87b0868cb71b90_JaffaCakes118.exe	83
PID 544 wrote to memory of 3064	544	374b4a38a4cc8d687c87b0868cb71b90_JaffaCakes118.exe	84
PID 544 wrote to memory of 3064	544	374b4a38a4cc8d687c87b0868cb71b90_JaffaCakes118.exe	84
PID 544 wrote to memory of 3064	544	374b4a38a4cc8d687c87b0868cb71b90_JaffaCakes118.exe	84
PID 1892 wrote to memory of 4976	1892	tmp240637109.exe	86
PID 1892 wrote to memory of 4976	1892	tmp240637109.exe	86
PID 1892 wrote to memory of 4976	1892	tmp240637109.exe	86
PID 4976 wrote to memory of 1856	4976	notpad.exe	87
PID 4976 wrote to memory of 1856	4976	notpad.exe	87
PID 4976 wrote to memory of 1856	4976	notpad.exe	87
PID 4976 wrote to memory of 3360	4976	notpad.exe	88
PID 4976 wrote to memory of 3360	4976	notpad.exe	88
PID 4976 wrote to memory of 3360	4976	notpad.exe	88
PID 1856 wrote to memory of 4344	1856	tmp240637718.exe	89
PID 1856 wrote to memory of 4344	1856	tmp240637718.exe	89
PID 1856 wrote to memory of 4344	1856	tmp240637718.exe	89
PID 4344 wrote to memory of 5016	4344	notpad.exe	90
PID 4344 wrote to memory of 5016	4344	notpad.exe	90
PID 4344 wrote to memory of 5016	4344	notpad.exe	90
PID 4344 wrote to memory of 1868	4344	notpad.exe	91
PID 4344 wrote to memory of 1868	4344	notpad.exe	91
PID 4344 wrote to memory of 1868	4344	notpad.exe	91
PID 5016 wrote to memory of 2116	5016	tmp240637921.exe	128
PID 5016 wrote to memory of 2116	5016	tmp240637921.exe	128
PID 5016 wrote to memory of 2116	5016	tmp240637921.exe	128
PID 2116 wrote to memory of 4868	2116	notpad.exe	94
PID 2116 wrote to memory of 4868	2116	notpad.exe	94
PID 2116 wrote to memory of 4868	2116	notpad.exe	94
PID 2116 wrote to memory of 4372	2116	notpad.exe	95
PID 2116 wrote to memory of 4372	2116	notpad.exe	95
PID 2116 wrote to memory of 4372	2116	notpad.exe	95
PID 4868 wrote to memory of 4676	4868	tmp240638109.exe	96
PID 4868 wrote to memory of 4676	4868	tmp240638109.exe	96
PID 4868 wrote to memory of 4676	4868	tmp240638109.exe	96
PID 4676 wrote to memory of 1064	4676	notpad.exe	329
PID 4676 wrote to memory of 1064	4676	notpad.exe	329
PID 4676 wrote to memory of 1064	4676	notpad.exe	329
PID 4676 wrote to memory of 4720	4676	notpad.exe	132
PID 4676 wrote to memory of 4720	4676	notpad.exe	132
PID 4676 wrote to memory of 4720	4676	notpad.exe	132
PID 1064 wrote to memory of 4956	1064	tmp240638265.exe	100
PID 1064 wrote to memory of 4956	1064	tmp240638265.exe	100
PID 1064 wrote to memory of 4956	1064	tmp240638265.exe	100
PID 4956 wrote to memory of 996	4956	notpad.exe	136
PID 4956 wrote to memory of 996	4956	notpad.exe	136
PID 4956 wrote to memory of 996	4956	notpad.exe	136
PID 4956 wrote to memory of 2820	4956	notpad.exe	337
PID 4956 wrote to memory of 2820	4956	notpad.exe	337
PID 4956 wrote to memory of 2820	4956	notpad.exe	337
PID 996 wrote to memory of 2972	996	tmp240638468.exe	464
PID 996 wrote to memory of 2972	996	tmp240638468.exe	464
PID 996 wrote to memory of 2972	996	tmp240638468.exe	464
PID 2972 wrote to memory of 4728	2972	notpad.exe	539
PID 2972 wrote to memory of 4728	2972	notpad.exe	539
PID 2972 wrote to memory of 4728	2972	notpad.exe	539
PID 2972 wrote to memory of 3232	2972	notpad.exe	482
PID 2972 wrote to memory of 3232	2972	notpad.exe	482
PID 2972 wrote to memory of 3232	2972	notpad.exe	482
PID 4728 wrote to memory of 3544	4728	tmp240638656.exe	106
PID 4728 wrote to memory of 3544	4728	tmp240638656.exe	106
PID 4728 wrote to memory of 3544	4728	tmp240638656.exe	106
PID 3544 wrote to memory of 4800	3544	notpad.exe	147

C:\Users\Admin\AppData\Local\Temp\374b4a38a4cc8d687c87b0868cb71b90_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\374b4a38a4cc8d687c87b0868cb71b90_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:544
- C:\Users\Admin\AppData\Local\Temp\tmp240637109.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240637109.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Users\Admin\AppData\Local\Temp\tmp240637718.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240637718.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:1856
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4344
      - C:\Users\Admin\AppData\Local\Temp\tmp240637921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637921.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638109.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4868
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638265.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1064
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638468.exe
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:996
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638656.exe
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4728
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639312.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4800
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        Executes dropped EXE
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639500.exe
        18⤵
        Executes dropped EXE
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639515.exe
        18⤵
        Executes dropped EXE
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639546.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4496
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        Executes dropped EXE
        
        PID:4716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639687.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3660
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        Executes dropped EXE
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639890.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        Executes dropped EXE
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640046.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640234.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4452
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        Executes dropped EXE
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640437.exe
        29⤵
        Executes dropped EXE
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640468.exe
        29⤵
        Executes dropped EXE
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640515.exe
        30⤵
        Executes dropped EXE
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640546.exe
        30⤵
        Executes dropped EXE
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640593.exe
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640812.exe
        33⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640859.exe
        33⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640921.exe
        34⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640937.exe
        34⤵
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641000.exe
        35⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641015.exe
        35⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641046.exe
        36⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641218.exe
        38⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1212
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641468.exe
        40⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641484.exe
        40⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641546.exe
        41⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641562.exe
        41⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641609.exe
        42⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2532
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641843.exe
        44⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641890.exe
        44⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641937.exe
        45⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641953.exe
        45⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641984.exe
        46⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642000.exe
        46⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642046.exe
        47⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642062.exe
        47⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641625.exe
        42⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641671.exe
        43⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641687.exe
        43⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641234.exe
        38⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641312.exe
        39⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641343.exe
        39⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641406.exe
        40⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641421.exe
        40⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641453.exe
        41⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4704
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        42⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641656.exe
        43⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641718.exe
        43⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641750.exe
        44⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641765.exe
        44⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641796.exe
        45⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641812.exe
        45⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641859.exe
        46⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642031.exe
        48⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1920
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642187.exe
        50⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642218.exe
        50⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642312.exe
        51⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642375.exe
        51⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642484.exe
        52⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642531.exe
        52⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642546.exe
        53⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1736
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642687.exe
        55⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        56⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642828.exe
        57⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642843.exe
        57⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642937.exe
        58⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643046.exe
        58⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643062.exe
        59⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643078.exe
        59⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643109.exe
        60⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3576
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        61⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643593.exe
        62⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643640.exe
        62⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643750.exe
        63⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643781.exe
        63⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643812.exe
        64⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643828.exe
        64⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643203.exe
        60⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642750.exe
        55⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642781.exe
        56⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642906.exe
        56⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643000.exe
        57⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643140.exe
        57⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643234.exe
        58⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643250.exe
        58⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642578.exe
        53⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642093.exe
        48⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642140.exe
        49⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642156.exe
        49⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642203.exe
        50⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2012
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642328.exe
        52⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642359.exe
        52⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642406.exe
        53⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:544
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642562.exe
        55⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642671.exe
        55⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642703.exe
        56⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642718.exe
        56⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642812.exe
        57⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4948
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        58⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642953.exe
        59⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1872
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        60⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643171.exe
        61⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643187.exe
        61⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643218.exe
        62⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643546.exe
        62⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643750.exe
        63⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643781.exe
        63⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643890.exe
        64⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643906.exe
        64⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643031.exe
        59⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643328.exe
        60⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3052
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        61⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643671.exe
        62⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3176
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        63⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643796.exe
        64⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2712
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        65⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643921.exe
        66⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1036
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        67⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644281.exe
        68⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3568
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        69⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644437.exe
        70⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644468.exe
        70⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644796.exe
        71⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644890.exe
        71⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644953.exe
        72⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645625.exe
        72⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646062.exe
        73⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646156.exe
        73⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644328.exe
        68⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644421.exe
        69⤵
        Checks computer location settings
        Modifies registry class
        
        PID:940
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        70⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644968.exe
        71⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645203.exe
        71⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645265.exe
        72⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645359.exe
        72⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645406.exe
        73⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645640.exe
        73⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645703.exe
        74⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645718.exe
        74⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644578.exe
        69⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644765.exe
        70⤵
        
        PID:3768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644781.exe
        70⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645062.exe
        71⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645078.exe
        71⤵
        
        PID:3088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643937.exe
        66⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643968.exe
        67⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644000.exe
        67⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644062.exe
        64⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644078.exe
        65⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644109.exe
        65⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644140.exe
        66⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3884
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        67⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644343.exe
        68⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644500.exe
        68⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644515.exe
        69⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644593.exe
        69⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644656.exe
        70⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644671.exe
        70⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644859.exe
        71⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644875.exe
        71⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644171.exe
        66⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643687.exe
        62⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643843.exe
        63⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643859.exe
        63⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644031.exe
        64⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2972
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        65⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644296.exe
        66⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644312.exe
        66⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644359.exe
        67⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644453.exe
        67⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644609.exe
        68⤵
        Checks computer location settings
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        69⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644843.exe
        70⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1892
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        71⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645109.exe
        72⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        73⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645312.exe
        74⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4680
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        75⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645750.exe
        76⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645781.exe
        76⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645421.exe
        74⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645515.exe
        75⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645812.exe
        75⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645906.exe
        76⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645921.exe
        76⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645968.exe
        77⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646109.exe
        77⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645140.exe
        72⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645171.exe
        73⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645343.exe
        73⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645453.exe
        74⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645468.exe
        74⤵
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645531.exe
        75⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645546.exe
        75⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644937.exe
        70⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645015.exe
        71⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645234.exe
        71⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645281.exe
        72⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645328.exe
        72⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645687.exe
        73⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2468
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        74⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645890.exe
        75⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        76⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646125.exe
        77⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:620
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        78⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646281.exe
        79⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2632
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        80⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646546.exe
        81⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646593.exe
        81⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646625.exe
        82⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        83⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646796.exe
        84⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646812.exe
        84⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647000.exe
        85⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4584
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        86⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647187.exe
        87⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647281.exe
        87⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647437.exe
        88⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3688
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        89⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647578.exe
        90⤵
        Checks computer location settings
        Modifies registry class
        
        PID:5092
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        91⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647765.exe
        92⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4364
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        93⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648015.exe
        94⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648156.exe
        94⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648265.exe
        95⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3808
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        96⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648500.exe
        97⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648656.exe
        97⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648718.exe
        98⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648906.exe
        98⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648953.exe
        99⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4280
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        100⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649125.exe
        101⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        102⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649296.exe
        103⤵
        
        PID:4912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        104⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649406.exe
        105⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        106⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649656.exe
        107⤵
        
        PID:4784
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        108⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650000.exe
        109⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650093.exe
        109⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650390.exe
        110⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650421.exe
        110⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650453.exe
        111⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650484.exe
        111⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650593.exe
        112⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650640.exe
        112⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649671.exe
        107⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649687.exe
        108⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649890.exe
        108⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649937.exe
        109⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649968.exe
        109⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650140.exe
        110⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650765.exe
        110⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649812.exe
        105⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649953.exe
        106⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650203.exe
        106⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650328.exe
        107⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650343.exe
        107⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650562.exe
        108⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650578.exe
        108⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649500.exe
        103⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649546.exe
        104⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649593.exe
        104⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649765.exe
        105⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649781.exe
        105⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649859.exe
        106⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        107⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650031.exe
        108⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        109⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650250.exe
        110⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650265.exe
        110⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650671.exe
        111⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        112⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650875.exe
        113⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650906.exe
        114⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651015.exe
        114⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651046.exe
        115⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651125.exe
        115⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651140.exe
        113⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651250.exe
        114⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651359.exe
        114⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651406.exe
        115⤵
        
        PID:816
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        116⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651562.exe
        117⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        118⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651734.exe
        119⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651921.exe
        119⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652015.exe
        120⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652125.exe
        120⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652171.exe
        121⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652250.exe
        121⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652312.exe
        122⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652531.exe
        122⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651796.exe
        117⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651828.exe
        118⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652078.exe
        118⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652218.exe
        119⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652375.exe
        119⤵
        
        PID:620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652468.exe
        120⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652484.exe
        120⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651609.exe
        115⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651656.exe
        116⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651984.exe
        116⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650875.exe
        111⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650968.exe
        112⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        113⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651156.exe
        114⤵
        
        PID:864
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        115⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651312.exe
        116⤵
        
        PID:3256
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        117⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651421.exe
        118⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651437.exe
        118⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651328.exe
        116⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651468.exe
        117⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651546.exe
        117⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651734.exe
        118⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651750.exe
        118⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651843.exe
        119⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651859.exe
        119⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651171.exe
        114⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651203.exe
        115⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651078.exe
        112⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651093.exe
        113⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651531.exe
        113⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650109.exe
        108⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650156.exe
        109⤵
        
        PID:3636
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        110⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650375.exe
        111⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        112⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650953.exe
        113⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651218.exe
        113⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651578.exe
        114⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651593.exe
        114⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651625.exe
        115⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651671.exe
        115⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651781.exe
        116⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651937.exe
        116⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650437.exe
        111⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650515.exe
        112⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650531.exe
        112⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650921.exe
        113⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650937.exe
        113⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650984.exe
        114⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651000.exe
        114⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650218.exe
        109⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650281.exe
        110⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650296.exe
        110⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650500.exe
        111⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        112⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650703.exe
        113⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650718.exe
        113⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650734.exe
        114⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650796.exe
        114⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650828.exe
        115⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        116⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651031.exe
        117⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651109.exe
        117⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651203.exe
        118⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651281.exe
        118⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651453.exe
        115⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651484.exe
        116⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651734.exe
        116⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        117⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651890.exe
        118⤵
        
        PID:3276
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        119⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652109.exe
        120⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652281.exe
        120⤵
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652421.exe
        121⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652687.exe
        121⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652796.exe
        122⤵
        
        PID:228
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        123⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652937.exe
        124⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653015.exe
        125⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653156.exe
        125⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653250.exe
        126⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653265.exe
        126⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653281.exe
        124⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653312.exe
        125⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653328.exe
        125⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653578.exe
        126⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654000.exe
        126⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654031.exe
        127⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654343.exe
        127⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652859.exe
        122⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653171.exe
        123⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        124⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653296.exe
        125⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        126⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653468.exe
        127⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653500.exe
        127⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653546.exe
        128⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653562.exe
        128⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653828.exe
        129⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653984.exe
        130⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654218.exe
        130⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653859.exe
        129⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653875.exe
        130⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653890.exe
        130⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653187.exe
        123⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652000.exe
        118⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652046.exe
        119⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        120⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652187.exe
        121⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        122⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652343.exe
        123⤵
        
        PID:1128
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        124⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652515.exe
        125⤵
        
        PID:376
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        126⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652906.exe
        127⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652937.exe
        127⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652968.exe
        128⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652625.exe
        125⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652640.exe
        126⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        127⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652859.exe
        128⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652875.exe
        129⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652937.exe
        129⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653000.exe
        130⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653046.exe
        130⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652921.exe
        128⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652953.exe
        129⤵
        
        PID:4492
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        130⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653203.exe
        131⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653343.exe
        131⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653593.exe
        132⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653625.exe
        132⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653718.exe
        133⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653734.exe
        133⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653765.exe
        134⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        135⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654156.exe
        136⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654250.exe
        136⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654406.exe
        137⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        138⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654734.exe
        139⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654750.exe
        139⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654921.exe
        140⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654937.exe
        140⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654984.exe
        141⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655062.exe
        141⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655093.exe
        142⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655109.exe
        142⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654421.exe
        137⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654453.exe
        138⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654625.exe
        138⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653812.exe
        134⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653078.exe
        129⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653359.exe
        130⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653390.exe
        130⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653453.exe
        131⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        132⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653656.exe
        133⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        134⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653921.exe
        135⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        136⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654093.exe
        137⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        138⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654265.exe
        139⤵
        
        PID:940
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        140⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654484.exe
        141⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654546.exe
        141⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654562.exe
        142⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654765.exe
        142⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654796.exe
        143⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654843.exe
        143⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654890.exe
        144⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654515.exe
        139⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654531.exe
        140⤵
        
        PID:2740
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        141⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654640.exe
        140⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654718.exe
        141⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        142⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654875.exe
        143⤵
        
        PID:220
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        144⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655078.exe
        145⤵
        
        PID:384
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        146⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655218.exe
        147⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        148⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655390.exe
        149⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        150⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655546.exe
        151⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655562.exe
        151⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655593.exe
        152⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655609.exe
        152⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655625.exe
        153⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655671.exe
        153⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655765.exe
        154⤵
        
        PID:4020
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        155⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655906.exe
        156⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655937.exe
        156⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655968.exe
        157⤵
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655984.exe
        157⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656000.exe
        158⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656015.exe
        158⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656296.exe
        159⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        160⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656406.exe
        161⤵
        
        PID:3748
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        162⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656421.exe
        161⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656531.exe
        162⤵
        
        PID:464
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        163⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656578.exe
        162⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656656.exe
        163⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656671.exe
        163⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656765.exe
        164⤵
        
        PID:384
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        165⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656796.exe
        164⤵
        
        PID:4648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656390.exe
        159⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655781.exe
        154⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655406.exe
        149⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655468.exe
        150⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655500.exe
        150⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655531.exe
        151⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        152⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655687.exe
        153⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655703.exe
        153⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655750.exe
        154⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655812.exe
        154⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655875.exe
        155⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656046.exe
        155⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656203.exe
        156⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        157⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656343.exe
        158⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656359.exe
        158⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656609.exe
        159⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        160⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656828.exe
        161⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656906.exe
        161⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656625.exe
        159⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656640.exe
        160⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656718.exe
        160⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656843.exe
        161⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656906.exe
        161⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656312.exe
        156⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655625.exe
        151⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        152⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655843.exe
        153⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655859.exe
        153⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655890.exe
        154⤵
        
        PID:384
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        155⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656031.exe
        156⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        157⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656484.exe
        158⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656515.exe
        158⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656140.exe
        156⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656281.exe
        157⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656437.exe
        157⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656453.exe
        158⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656546.exe
        158⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656859.exe
        159⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        160⤵
        
        PID:4428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657015.exe
        161⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        162⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657140.exe
        163⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        164⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657265.exe
        165⤵
        
        PID:3772
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        166⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657453.exe
        167⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657484.exe
        167⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657562.exe
        168⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657578.exe
        168⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657609.exe
        169⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        170⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657765.exe
        171⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657781.exe
        171⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657796.exe
        172⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657812.exe
        172⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657828.exe
        173⤵
        
        PID:2136
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        174⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657984.exe
        173⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658031.exe
        174⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        175⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658187.exe
        176⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        177⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658296.exe
        178⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        179⤵
        
        PID:4152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658609.exe
        180⤵
        
        PID:4432
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        181⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658843.exe
        182⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658875.exe
        182⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658890.exe
        183⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659468.exe
        183⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659593.exe
        184⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659671.exe
        184⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658687.exe
        180⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658734.exe
        181⤵
        
        PID:2672
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        182⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658968.exe
        183⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658984.exe
        183⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659093.exe
        184⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659140.exe
        184⤵
        
        PID:220
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        185⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659265.exe
        186⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        187⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659406.exe
        188⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        189⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659687.exe
        190⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659718.exe
        190⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659828.exe
        191⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659765.exe
        188⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659843.exe
        189⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659859.exe
        189⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659281.exe
        186⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659296.exe
        187⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659312.exe
        187⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659500.exe
        188⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659562.exe
        188⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659750.exe
        189⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658765.exe
        181⤵
        
        PID:544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658859.exe
        182⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        183⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659015.exe
        184⤵
        
        PID:996
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        185⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659171.exe
        186⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659328.exe
        186⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659531.exe
        187⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        188⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659656.exe
        189⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        190⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659796.exe
        191⤵
        
        PID:1920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659609.exe
        187⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659781.exe
        188⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659875.exe
        188⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659046.exe
        184⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659062.exe
        185⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659156.exe
        185⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659187.exe
        186⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659203.exe
        186⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659250.exe
        187⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659359.exe
        187⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659453.exe
        188⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659546.exe
        188⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658953.exe
        182⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659140.exe
        183⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659734.exe
        183⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658312.exe
        178⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658359.exe
        179⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658390.exe
        179⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658421.exe
        180⤵
        
        PID:3136
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        181⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658625.exe
        182⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658640.exe
        182⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658750.exe
        183⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658796.exe
        183⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658828.exe
        184⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658906.exe
        184⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658921.exe
        185⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659125.exe
        185⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659343.exe
        186⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659515.exe
        186⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658453.exe
        180⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658484.exe
        181⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658500.exe
        181⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658515.exe
        182⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658546.exe
        182⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658265.exe
        176⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658343.exe
        177⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658406.exe
        177⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658437.exe
        178⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658468.exe
        178⤵
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658062.exe
        174⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657671.exe
        169⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657718.exe
        170⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657734.exe
        170⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657296.exe
        165⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657406.exe
        166⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        167⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657500.exe
        168⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        169⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657625.exe
        170⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657640.exe
        170⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657703.exe
        171⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        172⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657843.exe
        173⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657859.exe
        173⤵
        
        PID:2976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657875.exe
        174⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657890.exe
        174⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658031.exe
        175⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658078.exe
        175⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658125.exe
        176⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658140.exe
        176⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657921.exe
        171⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658046.exe
        172⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658109.exe
        172⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658203.exe
        173⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658218.exe
        173⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657515.exe
        168⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657546.exe
        169⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657437.exe
        166⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657171.exe
        163⤵
        
        PID:376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657187.exe
        164⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657281.exe
        164⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657328.exe
        165⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657343.exe
        165⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657375.exe
        166⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657390.exe
        166⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657031.exe
        161⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657046.exe
        162⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657078.exe
        162⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657109.exe
        163⤵
        
        PID:3592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657125.exe
        163⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657203.exe
        164⤵
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657218.exe
        164⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656875.exe
        159⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655953.exe
        154⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656062.exe
        155⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656078.exe
        155⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656093.exe
        156⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656125.exe
        156⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655234.exe
        147⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655250.exe
        148⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655265.exe
        148⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655281.exe
        149⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655359.exe
        149⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655437.exe
        150⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655484.exe
        150⤵
        
        PID:664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655171.exe
        145⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655203.exe
        146⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655328.exe
        146⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654968.exe
        143⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655125.exe
        144⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654812.exe
        141⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654859.exe
        142⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655015.exe
        142⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654234.exe
        137⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654281.exe
        138⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654296.exe
        138⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654359.exe
        139⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654609.exe
        139⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654046.exe
        135⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654109.exe
        136⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654125.exe
        136⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654171.exe
        137⤵
        
        PID:5044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654187.exe
        137⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654468.exe
        138⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654578.exe
        138⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653671.exe
        133⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653703.exe
        134⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653781.exe
        134⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653796.exe
        135⤵
        
        PID:3380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653828.exe
        135⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653968.exe
        136⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654015.exe
        136⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653484.exe
        131⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652781.exe
        126⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652453.exe
        123⤵
        
        PID:4540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652562.exe
        124⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652937.exe
        124⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652984.exe
        125⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653031.exe
        125⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653125.exe
        126⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653234.exe
        126⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652234.exe
        121⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652390.exe
        122⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652406.exe
        122⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652500.exe
        123⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652578.exe
        123⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652750.exe
        124⤵
        
        PID:1872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652812.exe
        124⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652203.exe
        119⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652656.exe
        120⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652671.exe
        120⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652703.exe
        121⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652734.exe
        121⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650609.exe
        111⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649875.exe
        106⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649343.exe
        101⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649562.exe
        102⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649609.exe
        102⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649734.exe
        103⤵
        
        PID:3924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649750.exe
        103⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650015.exe
        104⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650062.exe
        104⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649015.exe
        99⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649125.exe
        100⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648359.exe
        95⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648375.exe
        96⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647890.exe
        92⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647937.exe
        93⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647953.exe
        93⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647984.exe
        94⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648000.exe
        94⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648031.exe
        95⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648218.exe
        95⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647687.exe
        90⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648343.exe
        91⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648453.exe
        91⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648515.exe
        92⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648531.exe
        92⤵
        
        PID:816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648546.exe
        93⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4500
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        94⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648843.exe
        95⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649046.exe
        95⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649171.exe
        96⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649203.exe
        96⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649265.exe
        97⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649453.exe
        97⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649484.exe
        98⤵
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649515.exe
        98⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648578.exe
        93⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647453.exe
        88⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647562.exe
        89⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647593.exe
        89⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647609.exe
        90⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647625.exe
        90⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647046.exe
        85⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647093.exe
        86⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647109.exe
        86⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647140.exe
        87⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3964
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        88⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647312.exe
        89⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2196
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        90⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647484.exe
        91⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647500.exe
        91⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647546.exe
        92⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647703.exe
        92⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647921.exe
        93⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4436
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        94⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648109.exe
        95⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4084
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        96⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648421.exe
        97⤵
        Checks computer location settings
        Modifies registry class
        
        PID:368
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        98⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648671.exe
        99⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4840
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        100⤵
        
        PID:3844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648875.exe
        101⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648890.exe
        101⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649078.exe
        102⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649093.exe
        102⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649140.exe
        103⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649218.exe
        103⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649250.exe
        104⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649328.exe
        104⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648812.exe
        99⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648859.exe
        100⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648921.exe
        100⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649125.exe
        101⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649156.exe
        101⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649281.exe
        102⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649375.exe
        102⤵
        
        PID:4156
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648640.exe
        97⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648765.exe
        98⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648781.exe
        98⤵
        
        PID:384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648828.exe
        99⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648968.exe
        99⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648984.exe
        100⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649000.exe
        100⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648125.exe
        95⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648171.exe
        96⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648250.exe
        96⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648296.exe
        97⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648390.exe
        97⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648468.exe
        98⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648703.exe
        98⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648078.exe
        93⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648187.exe
        94⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648203.exe
        94⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647343.exe
        89⤵
        
        PID:2972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647421.exe
        90⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647515.exe
        90⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647640.exe
        91⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647781.exe
        91⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647796.exe
        92⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648062.exe
        92⤵
        
        PID:4504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647171.exe
        87⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646718.exe
        82⤵
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646765.exe
        83⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1204
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        84⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647015.exe
        85⤵
        
        PID:2652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647031.exe
        85⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647156.exe
        86⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647218.exe
        86⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647250.exe
        87⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647265.exe
        87⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647359.exe
        88⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647375.exe
        88⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646859.exe
        83⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646890.exe
        84⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646937.exe
        84⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646296.exe
        79⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646312.exe
        80⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646343.exe
        80⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646468.exe
        81⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1380
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        82⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646640.exe
        83⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646656.exe
        83⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646687.exe
        84⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646703.exe
        84⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646750.exe
        85⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646828.exe
        85⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646875.exe
        86⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646968.exe
        86⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646484.exe
        81⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646515.exe
        82⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646562.exe
        82⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646140.exe
        77⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646234.exe
        78⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646250.exe
        78⤵
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646328.exe
        79⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646359.exe
        79⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646421.exe
        80⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646437.exe
        80⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645937.exe
        75⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645984.exe
        76⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646000.exe
        76⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646031.exe
        77⤵
        
        PID:1500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646046.exe
        77⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646078.exe
        78⤵
        
        PID:2108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646093.exe
        78⤵
        
        PID:4644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645843.exe
        73⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644625.exe
        68⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644703.exe
        69⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        70⤵
        
        PID:4024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644906.exe
        71⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645000.exe
        71⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645046.exe
        72⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645125.exe
        72⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645453.exe
        73⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645484.exe
        73⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645593.exe
        74⤵
        
        PID:4808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645609.exe
        74⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644734.exe
        69⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644187.exe
        64⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644218.exe
        65⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644234.exe
        65⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643343.exe
        60⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643375.exe
        61⤵
        
        PID:2184
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643578.exe
        61⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643609.exe
        62⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643625.exe
        62⤵
        
        PID:3280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642859.exe
        57⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642968.exe
        58⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642984.exe
        58⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642421.exe
        53⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642453.exe
        54⤵
        
        PID:3108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642500.exe
        54⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642625.exe
        55⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642640.exe
        55⤵
        
        PID:4960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642234.exe
        50⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642281.exe
        51⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642296.exe
        51⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641875.exe
        46⤵
        
        PID:4136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641500.exe
        41⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641062.exe
        36⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640609.exe
        31⤵
        Executes dropped EXE
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640640.exe
        32⤵
        
        PID:4000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640656.exe
        32⤵
        
        PID:460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640250.exe
        27⤵
        Executes dropped EXE
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640296.exe
        28⤵
        Executes dropped EXE
        
        PID:996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640328.exe
        28⤵
        Executes dropped EXE
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640359.exe
        29⤵
        Executes dropped EXE
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640375.exe
        29⤵
        Executes dropped EXE
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640406.exe
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2884
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        Executes dropped EXE
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640703.exe
        32⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640718.exe
        32⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640765.exe
        33⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640781.exe
        33⤵
        
        PID:1116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640828.exe
        34⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4976
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641078.exe
        36⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641109.exe
        36⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641156.exe
        37⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641171.exe
        37⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641250.exe
        38⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641265.exe
        38⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641296.exe
        39⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641328.exe
        39⤵
        
        PID:3940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640843.exe
        34⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640890.exe
        35⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640906.exe
        35⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640421.exe
        30⤵
        Executes dropped EXE
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640062.exe
        25⤵
        Executes dropped EXE
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640093.exe
        26⤵
        Executes dropped EXE
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640109.exe
        26⤵
        Executes dropped EXE
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640171.exe
        27⤵
        Executes dropped EXE
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640187.exe
        27⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639906.exe
        23⤵
        Executes dropped EXE
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639937.exe
        24⤵
        Executes dropped EXE
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639953.exe
        24⤵
        Executes dropped EXE
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639703.exe
        21⤵
        Executes dropped EXE
        
        PID:4528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639765.exe
        22⤵
        Executes dropped EXE
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639781.exe
        22⤵
        Executes dropped EXE
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639578.exe
        19⤵
        Executes dropped EXE
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639328.exe
        16⤵
        Executes dropped EXE
        
        PID:1084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639390.exe
        17⤵
        Executes dropped EXE
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639421.exe
        17⤵
        Executes dropped EXE
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638671.exe
        14⤵
        Executes dropped EXE
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638500.exe
        12⤵
        Executes dropped EXE
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638312.exe
        10⤵
        Executes dropped EXE
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638125.exe
        8⤵
        Executes dropped EXE
        
        PID:4372
      - C:\Users\Admin\AppData\Local\Temp\tmp240637937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637937.exe
        6⤵
        Executes dropped EXE
        
        PID:1868
  - - C:\Users\Admin\AppData\Local\Temp\tmp240637734.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240637734.exe
      4⤵
      Executes dropped EXE
      PID:3360
- C:\Users\Admin\AppData\Local\Temp\tmp240637125.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240637125.exe
  2⤵
  - Executes dropped EXE
  PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240637109.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240637125.exe

Filesize
67KB

MD5
5e28284f9b5f9097640d58a73d38ad4c

SHA1
7a90f8b051bc82cc9cadbcc9ba345ced02891a6c

SHA256
865f34fe7ba81e9622ddbdfc511547d190367bbf3dad21ceb6da3eec621044f5

SHA512
cb7218cfea8813ae8c7acf6f7511aecbeb9d697986e0eb8538065bf9e3e9c6ced9c29270eb677f5acf08d2e94b21018d8c4a376aa646fa73ce831fc87d448934

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240637734.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
296KB

MD5
64dc26441d16d0d2c9761c08a1f5fa60

SHA1
2fdeb240241d4e0e131fa1de34173c3d8eb6360e

SHA256
5e86a3a641752af6f89a7ec7add17e347818720aa9051e334eb37ad6ad2bba4e

SHA512
cc662645a655f4e1ee7ff556bf5363377b2789b5f0552f4208906a43970d384c5faa9cc6065b1ca65d753672cbdf06076424146bc630b6f747b1058b648d6942

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
430KB

MD5
f5728170b5dbb2fb465e6560e50b0e8c

SHA1
eabe12209b715b2b1403c52aac30fca6b90fbe94

SHA256
fd663655e0c5782f7d12a9fa6f1d0f4055958016548eab38e559baefd2d1fa95

SHA512
44a9a2afd5dc0a50ddd93f14f5624ecf50cb6072bee29fcff224964b4a25c4559e2c08c2f718c67a188778c5c0a50b400da2ea49144b279e5ab749d01e2ea6db

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
memory/544-12-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/544-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/968-371-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/968-377-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/996-368-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/996-146-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1052-443-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1060-345-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1060-540-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1060-579-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1064-124-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1084-210-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1116-452-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1116-476-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1204-699-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1292-612-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1292-593-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1720-814-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1760-505-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1760-530-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1852-789-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1856-492-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1856-56-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1892-34-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1892-456-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1912-798-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1912-769-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1916-489-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1948-403-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1948-411-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1960-674-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2028-576-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2028-561-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2116-99-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2116-330-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2116-319-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2272-286-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2272-297-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2320-749-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2320-740-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2488-560-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2488-582-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2492-470-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2588-499-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2592-298-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2612-706-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2672-408-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2716-402-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2740-343-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2740-332-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2840-623-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2884-414-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2948-819-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2956-206-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2972-148-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2972-164-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3016-362-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3016-347-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3212-412-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3212-420-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3276-378-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3316-739-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3316-718-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3356-639-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3376-484-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3392-775-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3392-751-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3464-714-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3464-326-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3464-702-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3516-285-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3544-199-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3544-177-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3652-652-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3652-641-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3660-273-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3740-370-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3740-357-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3772-218-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3772-225-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3784-399-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3816-341-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3964-656-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4000-435-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4020-504-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4024-316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4024-735-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4072-694-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4136-495-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4180-564-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4180-542-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4180-750-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4180-772-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4292-270-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4344-58-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4344-77-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4364-395-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4364-615-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4396-304-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4428-243-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4432-455-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4452-382-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4496-248-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4528-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4528-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4660-525-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4660-539-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4676-122-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4676-103-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4716-262-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4728-176-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4800-445-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4800-416-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4800-213-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4820-451-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4868-101-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4888-245-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4900-590-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4908-783-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4908-813-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4948-527-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4948-507-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4956-144-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4976-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4980-665-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4980-657-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5016-79-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5024-421-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5024-437-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5084-477-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5084-488-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download