ef0f82b472aab1edf99b46c71976a7d823d3e9c903e45e0a79f770c57fc61160

Analysis

max time kernel
20s
max time network
132s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
23-07-2024 11:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6779ce241ef42c0d4fa5a0f696d33e92_JaffaCakes118.exe
Size

1.7MB
MD5

6779ce241ef42c0d4fa5a0f696d33e92
SHA1

4ab56181194100b613c01303c8bd2a500ace7e69
SHA256

ef0f82b472aab1edf99b46c71976a7d823d3e9c903e45e0a79f770c57fc61160
SHA512

7e70bfa3a4925a6a88192201a2a9258586f7878d9e7802087e18b8659541b77c2e802e3615075ac8c59a1ba45b3376b8243e0d91a52889e8e85ce056304bb9c1
SSDEEP

12288:bdPqPFdPZdPrPFdPZdPiPFdPZdPFPFbSDyTFtj6PHdPZdPfPFdPZdPwPFdPZdPNe:UDyTFtjYDyTFtjODyo1tj

Score

7^/10

upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 45 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240621921.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240622140.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240623843.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240626296.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240628703.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240630375.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240634625.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240634906.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240636546.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240626046.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240627500.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240629703.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240631015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240631796.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240632953.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240629171.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240632406.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240632640.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240636000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240636250.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240625750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240626515.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240627218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240628906.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240629500.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240631421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240635312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240620062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240623000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240624250.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240630843.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240632187.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240633984.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240634281.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240635687.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	6779ce241ef42c0d4fa5a0f696d33e92_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240620734.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240627750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240628390.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240633656.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240621343.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240626843.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240628031.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240630000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	tmp240633312.exe

Executes dropped EXE 64 IoCs

pid	Process
4312	notpad.exe
4624	tmp240620062.exe
3188	tmp240620140.exe
212	notpad.exe
2736	tmp240620734.exe
772	tmp240620796.exe
4212	notpad.exe
820	tmp240621343.exe
2164	tmp240621437.exe
3384	notpad.exe
2260	tmp240621921.exe
2052	tmp240621984.exe
4488	notpad.exe
3580	tmp240622140.exe
1940	tmp240622187.exe
1280	notpad.exe
3668	tmp240623000.exe
964	tmp240623046.exe
1600	tmp240623140.exe
392	tmp240623187.exe
4492	notpad.exe
4132	tmp240623843.exe
2696	tmp240623921.exe
452	tmp240624062.exe
4932	notpad.exe
560	tmp240624093.exe
2360	tmp240624250.exe
1584	tmp240624343.exe
3080	tmp240624312.exe
4780	tmp240624406.exe
1824	tmp240624484.exe
3636	tmp240625546.exe
4324	tmp240625640.exe
4404	tmp240625703.exe
3996	notpad.exe
436	tmp240625750.exe
4020	tmp240625781.exe
4884	tmp240625843.exe
2548	tmp240625937.exe
3876	tmp240626000.exe
3308	tmp240626015.exe
820	notpad.exe
3928	tmp240626046.exe
2836	tmp240626078.exe
2784	tmp240626156.exe
1204	notpad.exe
4488	tmp240626171.exe
1228	tmp240626296.exe
336	tmp240626312.exe
640	tmp240626328.exe
4124	tmp240626343.exe
1696	tmp240626421.exe
776	tmp240626453.exe
392	notpad.exe
1880	tmp240626515.exe
712	tmp240626546.exe
3668	tmp240626562.exe
1056	tmp240626578.exe
1932	tmp240626703.exe
452	tmp240626750.exe
4604	notpad.exe
2844	tmp240626843.exe
1668	tmp240626828.exe
4308	tmp240626859.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023456-11.dat	upx
behavioral2/memory/4312-21-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4312-42-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x00090000000233f7-28.dat	upx
behavioral2/memory/212-44-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/212-65-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4212-87-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3384-109-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4488-116-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4488-122-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0008000000023468-142.dat	upx
behavioral2/memory/1280-144-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1280-164-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/964-157-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/964-178-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000700000002346d-184.dat	upx
behavioral2/memory/4492-186-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2696-210-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/560-257-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4932-255-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3080-249-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2696-234-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3080-264-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3996-291-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4020-293-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4020-298-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2836-333-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/776-385-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4604-403-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1056-401-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/100-480-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4348-525-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1368-528-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2504-552-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1880-579-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4844-618-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4484-646-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/100-670-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/440-676-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1416-715-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1904-726-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1904-765-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2140-766-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/896-763-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/324-753-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/712-751-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1416-733-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4488-723-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2704-714-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/712-710-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/440-702-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2704-696-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3480-690-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4488-681-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3480-671-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/100-659-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4484-658-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2548-639-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4844-631-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4948-617-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1900-605-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4948-604-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2408-602-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1900-588-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240626515.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240626843.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240627500.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240633312.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240636828.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240621343.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240623843.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240626046.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240630000.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240633984.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240636828.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240620062.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240627750.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240629500.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240626296.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240621921.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240631796.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240632187.exe
File created	C:\Windows\SysWOW64\notpad.exe-	6779ce241ef42c0d4fa5a0f696d33e92_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240629500.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240634906.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240636000.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240636546.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240629171.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240627750.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240632953.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240626046.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240629500.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240630843.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240631015.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240626296.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240621343.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240626296.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240630375.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240620062.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240633656.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240634906.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240636546.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240628390.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240628390.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240628703.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240628906.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240634625.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240636250.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240636828.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240628031.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240631421.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240632953.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240633984.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240622140.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240624250.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240626843.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240627218.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240631421.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240633656.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240624250.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240632640.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240632640.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240633656.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240634281.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240624250.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240623000.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240627750.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240635687.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 46 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240627218.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240623000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240624250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240626843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240626296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240636250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240635687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240620062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240630375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240634625.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240629171.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240630843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240631421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240632640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240633984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240626046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240627750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240628390.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240634906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240636828.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240626515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240627500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240628906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240631015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240632953.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240621921.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240622140.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240623843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240633656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240631796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240632187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240632406.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240633312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240635312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240629500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240629703.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240630000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240636546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240636000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	6779ce241ef42c0d4fa5a0f696d33e92_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240620734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240628703.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240634281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240621343.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240625750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240628031.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3080 wrote to memory of 4312	3080	6779ce241ef42c0d4fa5a0f696d33e92_JaffaCakes118.exe	87
PID 3080 wrote to memory of 4312	3080	6779ce241ef42c0d4fa5a0f696d33e92_JaffaCakes118.exe	87
PID 3080 wrote to memory of 4312	3080	6779ce241ef42c0d4fa5a0f696d33e92_JaffaCakes118.exe	87
PID 4312 wrote to memory of 4624	4312	notpad.exe	252
PID 4312 wrote to memory of 4624	4312	notpad.exe	252
PID 4312 wrote to memory of 4624	4312	notpad.exe	252
PID 4312 wrote to memory of 3188	4312	notpad.exe	156
PID 4312 wrote to memory of 3188	4312	notpad.exe	156
PID 4312 wrote to memory of 3188	4312	notpad.exe	156
PID 4624 wrote to memory of 212	4624	tmp240620062.exe	468
PID 4624 wrote to memory of 212	4624	tmp240620062.exe	468
PID 4624 wrote to memory of 212	4624	tmp240620062.exe	468
PID 212 wrote to memory of 2736	212	notpad.exe	1321
PID 212 wrote to memory of 2736	212	notpad.exe	1321
PID 212 wrote to memory of 2736	212	notpad.exe	1321
PID 212 wrote to memory of 772	212	notpad.exe	1305
PID 212 wrote to memory of 772	212	notpad.exe	1305
PID 212 wrote to memory of 772	212	notpad.exe	1305
PID 2736 wrote to memory of 4212	2736	tmp240620734.exe	1229
PID 2736 wrote to memory of 4212	2736	tmp240620734.exe	1229
PID 2736 wrote to memory of 4212	2736	tmp240620734.exe	1229
PID 4212 wrote to memory of 820	4212	notpad.exe	858
PID 4212 wrote to memory of 820	4212	notpad.exe	858
PID 4212 wrote to memory of 820	4212	notpad.exe	858
PID 4212 wrote to memory of 2164	4212	notpad.exe	435
PID 4212 wrote to memory of 2164	4212	notpad.exe	435
PID 4212 wrote to memory of 2164	4212	notpad.exe	435
PID 820 wrote to memory of 3384	820	tmp240621343.exe	96
PID 820 wrote to memory of 3384	820	tmp240621343.exe	96
PID 820 wrote to memory of 3384	820	tmp240621343.exe	96
PID 3384 wrote to memory of 2260	3384	notpad.exe	713
PID 3384 wrote to memory of 2260	3384	notpad.exe	713
PID 3384 wrote to memory of 2260	3384	notpad.exe	713
PID 3384 wrote to memory of 2052	3384	notpad.exe	200
PID 3384 wrote to memory of 2052	3384	notpad.exe	200
PID 3384 wrote to memory of 2052	3384	notpad.exe	200
PID 2260 wrote to memory of 4488	2260	tmp240621921.exe	1676
PID 2260 wrote to memory of 4488	2260	tmp240621921.exe	1676
PID 2260 wrote to memory of 4488	2260	tmp240621921.exe	1676
PID 4488 wrote to memory of 3580	4488	notpad.exe	1571
PID 4488 wrote to memory of 3580	4488	notpad.exe	1571
PID 4488 wrote to memory of 3580	4488	notpad.exe	1571
PID 4488 wrote to memory of 1940	4488	notpad.exe	390
PID 4488 wrote to memory of 1940	4488	notpad.exe	390
PID 4488 wrote to memory of 1940	4488	notpad.exe	390
PID 3580 wrote to memory of 1280	3580	tmp240622140.exe	102
PID 3580 wrote to memory of 1280	3580	tmp240622140.exe	102
PID 3580 wrote to memory of 1280	3580	tmp240622140.exe	102
PID 1280 wrote to memory of 3668	1280	notpad.exe	145
PID 1280 wrote to memory of 3668	1280	notpad.exe	145
PID 1280 wrote to memory of 3668	1280	notpad.exe	145
PID 1280 wrote to memory of 964	1280	notpad.exe	511
PID 1280 wrote to memory of 964	1280	notpad.exe	511
PID 1280 wrote to memory of 964	1280	notpad.exe	511
PID 964 wrote to memory of 1600	964	tmp240623046.exe	1454
PID 964 wrote to memory of 1600	964	tmp240623046.exe	1454
PID 964 wrote to memory of 1600	964	tmp240623046.exe	1454
PID 964 wrote to memory of 392	964	tmp240623046.exe	1787
PID 964 wrote to memory of 392	964	tmp240623046.exe	1787
PID 964 wrote to memory of 392	964	tmp240623046.exe	1787
PID 3668 wrote to memory of 4492	3668	tmp240623000.exe	1576
PID 3668 wrote to memory of 4492	3668	tmp240623000.exe	1576
PID 3668 wrote to memory of 4492	3668	tmp240623000.exe	1576
PID 4492 wrote to memory of 4132	4492	notpad.exe	1916

C:\Users\Admin\AppData\Local\Temp\6779ce241ef42c0d4fa5a0f696d33e92_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6779ce241ef42c0d4fa5a0f696d33e92_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3080
- C:\Windows\SysWOW64\notpad.exe
  "C:\Windows\system32\notpad.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4312
- - C:\Users\Admin\AppData\Local\Temp\tmp240620062.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240620062.exe
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4624
  - - C:\Windows\SysWOW64\notpad.exe
      "C:\Windows\system32\notpad.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:212
    - - C:\Users\Admin\AppData\Local\Temp\tmp240620734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620734.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621343.exe
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:820
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621921.exe
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622140.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3580
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623000.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3668
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623843.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4132
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        Executes dropped EXE
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624250.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2360
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        Executes dropped EXE
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625750.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:436
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        Executes dropped EXE
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626046.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        Executes dropped EXE
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626296.exe
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1228
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        24⤵
        Executes dropped EXE
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626546.exe
        25⤵
        Executes dropped EXE
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626578.exe
        25⤵
        Executes dropped EXE
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626703.exe
        26⤵
        Executes dropped EXE
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626750.exe
        26⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626843.exe
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:2844
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627218.exe
        29⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:5028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627500.exe
        31⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3536
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        32⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627750.exe
        33⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        34⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628031.exe
        35⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1056
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        36⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628296.exe
        37⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628312.exe
        37⤵
        
        PID:4948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628390.exe
        38⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3868
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628703.exe
        40⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2052
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628906.exe
        42⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:964
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629171.exe
        44⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:548
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629468.exe
        46⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629484.exe
        46⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629640.exe
        47⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629656.exe
        47⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629703.exe
        48⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4288
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630203.exe
        50⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630250.exe
        50⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630375.exe
        51⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4932
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        52⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630859.exe
        53⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630875.exe
        53⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630968.exe
        54⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630984.exe
        54⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631109.exe
        55⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631140.exe
        55⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631250.exe
        56⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631265.exe
        56⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631312.exe
        57⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631328.exe
        57⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631421.exe
        58⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3272
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        59⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631796.exe
        60⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        61⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632125.exe
        62⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632156.exe
        62⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632296.exe
        63⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632343.exe
        63⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632406.exe
        64⤵
        Checks computer location settings
        Modifies registry class
        
        PID:700
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        65⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632671.exe
        66⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632687.exe
        66⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632843.exe
        67⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632890.exe
        67⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632968.exe
        68⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633015.exe
        68⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633078.exe
        69⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633140.exe
        69⤵
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633234.exe
        70⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633296.exe
        70⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633343.exe
        71⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633359.exe
        71⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632468.exe
        64⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632515.exe
        65⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632531.exe
        65⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632562.exe
        66⤵
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632578.exe
        66⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632718.exe
        67⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632781.exe
        67⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631843.exe
        60⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631937.exe
        61⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631968.exe
        61⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632031.exe
        62⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632046.exe
        62⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632109.exe
        63⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632140.exe
        63⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632187.exe
        64⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:388
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        65⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632453.exe
        66⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632546.exe
        66⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632640.exe
        67⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1996
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        68⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633031.exe
        69⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633093.exe
        69⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633187.exe
        70⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633203.exe
        70⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633312.exe
        71⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4336
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        72⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633671.exe
        73⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633687.exe
        73⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633828.exe
        74⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633890.exe
        74⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634000.exe
        75⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634015.exe
        75⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634093.exe
        76⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634125.exe
        76⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634203.exe
        77⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634265.exe
        77⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634328.exe
        78⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634343.exe
        78⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633390.exe
        71⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633484.exe
        72⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633500.exe
        72⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633593.exe
        73⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633625.exe
        73⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633656.exe
        74⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2520
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        75⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634062.exe
        76⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634078.exe
        76⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634234.exe
        77⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634250.exe
        77⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634375.exe
        78⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634406.exe
        78⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634500.exe
        79⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634515.exe
        79⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634562.exe
        80⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634578.exe
        80⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634640.exe
        81⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634765.exe
        81⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633703.exe
        74⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632656.exe
        67⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632734.exe
        68⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632812.exe
        68⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632875.exe
        69⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632906.exe
        69⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632953.exe
        70⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:540
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        71⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633375.exe
        72⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633468.exe
        72⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633562.exe
        73⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633578.exe
        73⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633718.exe
        74⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633750.exe
        74⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633843.exe
        75⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633859.exe
        75⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633921.exe
        76⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633937.exe
        76⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633984.exe
        77⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:992
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        78⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634281.exe
        79⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2308
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        80⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634656.exe
        81⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634671.exe
        81⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634796.exe
        82⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634843.exe
        82⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635093.exe
        83⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635109.exe
        83⤵
        
        PID:2332
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635250.exe
        84⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635265.exe
        84⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635312.exe
        85⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        86⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635687.exe
        87⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        88⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636000.exe
        89⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        90⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636234.exe
        91⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636265.exe
        91⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636375.exe
        92⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636390.exe
        92⤵
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636468.exe
        93⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636531.exe
        93⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636640.exe
        94⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636703.exe
        94⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636750.exe
        95⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636765.exe
        95⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636828.exe
        96⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4056
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        97⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637046.exe
        98⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637062.exe
        98⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637156.exe
        99⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637203.exe
        99⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637343.exe
        100⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637359.exe
        100⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637421.exe
        101⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637437.exe
        101⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637484.exe
        102⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637500.exe
        102⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637562.exe
        103⤵
        
        PID:4816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637593.exe
        103⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636859.exe
        96⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636015.exe
        89⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635781.exe
        87⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635906.exe
        88⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635953.exe
        88⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636078.exe
        89⤵
        
        PID:3832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636109.exe
        89⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636250.exe
        90⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1528
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        91⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636546.exe
        92⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4420
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        93⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636843.exe
        94⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636875.exe
        94⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636984.exe
        95⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637031.exe
        95⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637093.exe
        96⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        97⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637453.exe
        98⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        99⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637703.exe
        100⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        101⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637921.exe
        102⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638000.exe
        102⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638093.exe
        103⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638109.exe
        103⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638218.exe
        104⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638234.exe
        104⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638328.exe
        105⤵
        
        PID:896
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        106⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638734.exe
        107⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638750.exe
        107⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638953.exe
        108⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639000.exe
        108⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639078.exe
        109⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639093.exe
        109⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639203.exe
        110⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639234.exe
        110⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639375.exe
        111⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639390.exe
        111⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639437.exe
        112⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639468.exe
        112⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639593.exe
        113⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639625.exe
        113⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638468.exe
        105⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638562.exe
        106⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638593.exe
        106⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638765.exe
        107⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        108⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639156.exe
        109⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        110⤵
        
        PID:3852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639546.exe
        111⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        112⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640078.exe
        113⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640140.exe
        113⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640296.exe
        114⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640328.exe
        114⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640453.exe
        115⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640593.exe
        115⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640671.exe
        116⤵
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640734.exe
        116⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640859.exe
        117⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640921.exe
        117⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641015.exe
        118⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641062.exe
        118⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641140.exe
        119⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641562.exe
        119⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639609.exe
        111⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639750.exe
        112⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639781.exe
        112⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639875.exe
        113⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639921.exe
        113⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640031.exe
        114⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        115⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640343.exe
        116⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640390.exe
        116⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640562.exe
        117⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640578.exe
        117⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640718.exe
        118⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640750.exe
        118⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640906.exe
        119⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640953.exe
        119⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641203.exe
        120⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641234.exe
        120⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641546.exe
        121⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641656.exe
        121⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641703.exe
        122⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641734.exe
        122⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640046.exe
        114⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640109.exe
        115⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640125.exe
        115⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640203.exe
        116⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640234.exe
        116⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640312.exe
        117⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        118⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640625.exe
        119⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        120⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641125.exe
        121⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        122⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641750.exe
        123⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641796.exe
        123⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642015.exe
        124⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642046.exe
        124⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642140.exe
        125⤵
        
        PID:3584
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        126⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642578.exe
        127⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642593.exe
        127⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642750.exe
        128⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        129⤵
        
        PID:3816
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643156.exe
        130⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        131⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643437.exe
        132⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        133⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643718.exe
        134⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        135⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644265.exe
        136⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644281.exe
        136⤵
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644421.exe
        137⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644453.exe
        137⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644671.exe
        138⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644703.exe
        138⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645015.exe
        139⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645093.exe
        139⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645250.exe
        140⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645328.exe
        140⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645437.exe
        141⤵
        
        PID:3604
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        142⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645828.exe
        143⤵
        
        PID:4132
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        144⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646171.exe
        145⤵
        
        PID:744
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        146⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646687.exe
        147⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646796.exe
        147⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647093.exe
        148⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647203.exe
        148⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647453.exe
        149⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647468.exe
        149⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647546.exe
        150⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647578.exe
        150⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647734.exe
        151⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647796.exe
        151⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647921.exe
        152⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648140.exe
        152⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648312.exe
        153⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648406.exe
        153⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646453.exe
        145⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646578.exe
        146⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646656.exe
        146⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646812.exe
        147⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        148⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647375.exe
        149⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647593.exe
        149⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647750.exe
        150⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647828.exe
        150⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648031.exe
        151⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648062.exe
        151⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646828.exe
        147⤵
        
        PID:4932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647046.exe
        148⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647140.exe
        148⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647312.exe
        149⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        150⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647671.exe
        151⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        152⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648343.exe
        153⤵
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648359.exe
        153⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648500.exe
        154⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648546.exe
        154⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648703.exe
        155⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648750.exe
        155⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648875.exe
        156⤵
        
        PID:3404
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        157⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649234.exe
        158⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649250.exe
        158⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649500.exe
        159⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        160⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649859.exe
        161⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        162⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650203.exe
        163⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650296.exe
        163⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649875.exe
        161⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650140.exe
        162⤵
        
        PID:1360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650156.exe
        162⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650359.exe
        163⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650390.exe
        163⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650500.exe
        164⤵
        
        PID:2844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650531.exe
        164⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650640.exe
        165⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650656.exe
        165⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650781.exe
        166⤵
        
        PID:3732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650812.exe
        166⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650906.exe
        167⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650921.exe
        167⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650984.exe
        168⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651015.exe
        168⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651234.exe
        169⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651265.exe
        169⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648984.exe
        156⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649062.exe
        157⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649078.exe
        157⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649140.exe
        158⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649156.exe
        158⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649218.exe
        159⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        160⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649515.exe
        161⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649531.exe
        161⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649718.exe
        162⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649734.exe
        162⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649953.exe
        163⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650000.exe
        163⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650109.exe
        164⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650125.exe
        164⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650296.exe
        165⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        166⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650625.exe
        167⤵
        
        PID:3852
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        168⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651062.exe
        169⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        170⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651500.exe
        171⤵
        
        PID:4344
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        172⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652078.exe
        173⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652203.exe
        173⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652390.exe
        174⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652453.exe
        174⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652828.exe
        175⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652906.exe
        175⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653046.exe
        176⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653140.exe
        176⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653265.exe
        177⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653296.exe
        177⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653390.exe
        178⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653453.exe
        178⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653578.exe
        179⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653625.exe
        179⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653750.exe
        180⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653765.exe
        180⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653812.exe
        181⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653906.exe
        181⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651531.exe
        171⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651796.exe
        172⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651812.exe
        172⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651937.exe
        173⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651968.exe
        173⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652125.exe
        174⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652171.exe
        174⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652296.exe
        175⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652328.exe
        175⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652468.exe
        176⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652609.exe
        176⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652703.exe
        177⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652750.exe
        177⤵
        
        PID:2760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652937.exe
        178⤵
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652984.exe
        178⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653093.exe
        179⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653125.exe
        179⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651093.exe
        169⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651281.exe
        170⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651359.exe
        170⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651578.exe
        171⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651593.exe
        171⤵
        
        PID:2620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651875.exe
        172⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651890.exe
        172⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652015.exe
        173⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        174⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652687.exe
        175⤵
        
        PID:2596
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        176⤵
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653359.exe
        177⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653406.exe
        177⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653640.exe
        178⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653687.exe
        178⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653843.exe
        179⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        180⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653890.exe
        179⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654078.exe
        180⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654125.exe
        180⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654218.exe
        181⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654390.exe
        181⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652718.exe
        175⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652921.exe
        176⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652953.exe
        176⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653109.exe
        177⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653187.exe
        177⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653328.exe
        178⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        179⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653796.exe
        180⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653828.exe
        180⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654171.exe
        181⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654187.exe
        181⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654296.exe
        182⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654328.exe
        182⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653375.exe
        178⤵
        
        PID:3124
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653531.exe
        179⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653562.exe
        179⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653718.exe
        180⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653781.exe
        180⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653984.exe
        181⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654046.exe
        181⤵
        
        PID:4260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654109.exe
        182⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654140.exe
        182⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654265.exe
        183⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654312.exe
        183⤵
        
        PID:1212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652031.exe
        173⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652156.exe
        174⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652187.exe
        174⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652250.exe
        175⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652343.exe
        175⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652421.exe
        176⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652437.exe
        176⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652546.exe
        177⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652625.exe
        177⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650687.exe
        167⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650828.exe
        168⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650843.exe
        168⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651000.exe
        169⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651031.exe
        169⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651156.exe
        170⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651171.exe
        170⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651296.exe
        171⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651328.exe
        171⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651390.exe
        172⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651406.exe
        172⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651468.exe
        173⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651484.exe
        173⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650312.exe
        165⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650421.exe
        166⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650437.exe
        166⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650515.exe
        167⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650546.exe
        167⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650593.exe
        168⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650703.exe
        168⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650796.exe
        169⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650937.exe
        169⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649375.exe
        159⤵
        
        PID:3392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649421.exe
        160⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649437.exe
        160⤵
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647703.exe
        151⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647953.exe
        152⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647984.exe
        152⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648156.exe
        153⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648187.exe
        153⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648406.exe
        154⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648515.exe
        154⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648625.exe
        155⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648656.exe
        155⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648734.exe
        156⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648765.exe
        156⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648843.exe
        157⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648859.exe
        157⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648890.exe
        158⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648906.exe
        158⤵
        
        PID:32
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647359.exe
        149⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647484.exe
        150⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647625.exe
        150⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647765.exe
        151⤵
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647812.exe
        151⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647968.exe
        152⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648000.exe
        152⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646015.exe
        143⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646484.exe
        144⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646515.exe
        144⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646625.exe
        145⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646671.exe
        145⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647125.exe
        146⤵
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647234.exe
        146⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647328.exe
        147⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647343.exe
        147⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647515.exe
        148⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647562.exe
        148⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648250.exe
        149⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648296.exe
        149⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648406.exe
        150⤵
        
        PID:3816
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        151⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648921.exe
        152⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648968.exe
        152⤵
        
        PID:3584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649093.exe
        153⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649109.exe
        153⤵
        
        PID:1204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649281.exe
        154⤵
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649296.exe
        154⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649453.exe
        155⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649546.exe
        155⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649703.exe
        156⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649750.exe
        156⤵
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649812.exe
        157⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649843.exe
        157⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649906.exe
        158⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649921.exe
        158⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650046.exe
        159⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650062.exe
        159⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650187.exe
        160⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650234.exe
        160⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648453.exe
        150⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645453.exe
        141⤵
        
        PID:4852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645625.exe
        142⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645656.exe
        142⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645687.exe
        143⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645906.exe
        143⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643750.exe
        134⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643968.exe
        135⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644046.exe
        135⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644187.exe
        136⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        137⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644609.exe
        138⤵
        
        PID:448
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        139⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645156.exe
        140⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645187.exe
        140⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645390.exe
        141⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645406.exe
        141⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645500.exe
        142⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645515.exe
        142⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645781.exe
        143⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645796.exe
        143⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646078.exe
        144⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646109.exe
        144⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646203.exe
        145⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646234.exe
        145⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646343.exe
        146⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646375.exe
        146⤵
        
        PID:980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646421.exe
        147⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646468.exe
        147⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644625.exe
        138⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645046.exe
        139⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645062.exe
        139⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645218.exe
        140⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645531.exe
        140⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645609.exe
        141⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645671.exe
        141⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645734.exe
        142⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645875.exe
        142⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645937.exe
        143⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645953.exe
        143⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646062.exe
        144⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646093.exe
        144⤵
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646187.exe
        145⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646281.exe
        145⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644218.exe
        136⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644296.exe
        137⤵
        
        PID:4824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644343.exe
        137⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644484.exe
        138⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644578.exe
        138⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644640.exe
        139⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644734.exe
        139⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645140.exe
        140⤵
        
        PID:1960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        141⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645718.exe
        142⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645765.exe
        142⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645984.exe
        143⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646031.exe
        143⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646218.exe
        144⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646250.exe
        144⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646562.exe
        145⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646609.exe
        145⤵
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646765.exe
        146⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646906.exe
        146⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647078.exe
        147⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647109.exe
        147⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647187.exe
        148⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647218.exe
        148⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648171.exe
        149⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648218.exe
        149⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645265.exe
        140⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645343.exe
        141⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645359.exe
        141⤵
        
        PID:2904
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643453.exe
        132⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643562.exe
        133⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643578.exe
        133⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643671.exe
        134⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643687.exe
        134⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643843.exe
        135⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643890.exe
        135⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643953.exe
        136⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644031.exe
        136⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644109.exe
        137⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644156.exe
        137⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644406.exe
        138⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644468.exe
        138⤵
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644687.exe
        139⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644750.exe
        139⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643218.exe
        130⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643390.exe
        131⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643406.exe
        131⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643593.exe
        132⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643609.exe
        132⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643734.exe
        133⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643765.exe
        133⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643875.exe
        134⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643921.exe
        134⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644000.exe
        135⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644015.exe
        135⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644093.exe
        136⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644171.exe
        136⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644515.exe
        137⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644531.exe
        137⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642828.exe
        128⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642906.exe
        129⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642937.exe
        129⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643062.exe
        130⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643078.exe
        130⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643171.exe
        131⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643187.exe
        131⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643234.exe
        132⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643265.exe
        132⤵
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643328.exe
        133⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643343.exe
        133⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642171.exe
        125⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642296.exe
        126⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642328.exe
        126⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642468.exe
        127⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642500.exe
        127⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642546.exe
        128⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642562.exe
        128⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642656.exe
        129⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642687.exe
        129⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641156.exe
        121⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641484.exe
        122⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641593.exe
        122⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641765.exe
        123⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641828.exe
        123⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641937.exe
        124⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641984.exe
        124⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642062.exe
        125⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642078.exe
        125⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642156.exe
        126⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642312.exe
        126⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642375.exe
        127⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642406.exe
        127⤵
        
        PID:212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640656.exe
        119⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640812.exe
        120⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640843.exe
        120⤵
        
        PID:2968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640968.exe
        121⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641000.exe
        121⤵
        
        PID:2344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641078.exe
        122⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641109.exe
        122⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641218.exe
        123⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641265.exe
        123⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641578.exe
        124⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641609.exe
        124⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641687.exe
        125⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        126⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642187.exe
        127⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642234.exe
        127⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642421.exe
        128⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642484.exe
        128⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642625.exe
        129⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642640.exe
        129⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642765.exe
        130⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642781.exe
        130⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642875.exe
        131⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642921.exe
        131⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642968.exe
        132⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642984.exe
        132⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643031.exe
        133⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643093.exe
        133⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641859.exe
        125⤵
        
        PID:4276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640515.exe
        117⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639187.exe
        109⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639406.exe
        110⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639453.exe
        110⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639562.exe
        111⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639578.exe
        111⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639687.exe
        112⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639718.exe
        112⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639796.exe
        113⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639828.exe
        113⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639890.exe
        114⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639906.exe
        114⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639953.exe
        115⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639968.exe
        115⤵
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638796.exe
        107⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639046.exe
        108⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639109.exe
        108⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637718.exe
        100⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637875.exe
        101⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        102⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638343.exe
        103⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638375.exe
        103⤵
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638515.exe
        104⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638546.exe
        104⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638671.exe
        105⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638718.exe
        105⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638812.exe
        106⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638859.exe
        106⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638968.exe
        107⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638984.exe
        107⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639031.exe
        108⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639140.exe
        108⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639218.exe
        109⤵
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639265.exe
        109⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637937.exe
        101⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638031.exe
        102⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638062.exe
        102⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638156.exe
        103⤵
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638171.exe
        103⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638265.exe
        104⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638281.exe
        104⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638359.exe
        105⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638421.exe
        105⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638500.exe
        106⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638609.exe
        106⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637484.exe
        98⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637109.exe
        96⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637234.exe
        97⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637265.exe
        97⤵
        
        PID:3652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637328.exe
        98⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637609.exe
        98⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637656.exe
        99⤵
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637671.exe
        99⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636562.exe
        92⤵
        
        PID:1548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636671.exe
        93⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636687.exe
        93⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636781.exe
        94⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636328.exe
        90⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636406.exe
        91⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636421.exe
        91⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636484.exe
        92⤵
        
        PID:312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636500.exe
        92⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635390.exe
        85⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635453.exe
        86⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635484.exe
        86⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634312.exe
        79⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634453.exe
        80⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634531.exe
        80⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634625.exe
        81⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:756
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        82⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634906.exe
        83⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4884
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        84⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635359.exe
        85⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635406.exe
        85⤵
        
        PID:4052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635546.exe
        86⤵
        
        PID:1260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635578.exe
        86⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635671.exe
        87⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635734.exe
        87⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635812.exe
        88⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635859.exe
        88⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635937.exe
        89⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635968.exe
        89⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636046.exe
        90⤵
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636187.exe
        90⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634937.exe
        83⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635125.exe
        84⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635140.exe
        84⤵
        
        PID:3996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635328.exe
        85⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635343.exe
        85⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635437.exe
        86⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635468.exe
        86⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635531.exe
        87⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635609.exe
        87⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635703.exe
        88⤵
        
        PID:440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635828.exe
        88⤵
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634703.exe
        81⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634968.exe
        82⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635000.exe
        82⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635078.exe
        83⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635171.exe
        83⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635218.exe
        84⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635234.exe
        84⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634031.exe
        77⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632984.exe
        70⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633109.exe
        71⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633250.exe
        71⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632234.exe
        64⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632281.exe
        65⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632312.exe
        65⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631437.exe
        58⤵
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630406.exe
        51⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630531.exe
        52⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630578.exe
        52⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630656.exe
        53⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630687.exe
        53⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630718.exe
        54⤵
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630796.exe
        54⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629781.exe
        48⤵
        
        PID:3508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629859.exe
        49⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629906.exe
        49⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630000.exe
        50⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3468
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630312.exe
        52⤵
        
        PID:396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630328.exe
        52⤵
        
        PID:992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630421.exe
        53⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630468.exe
        53⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630593.exe
        54⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630609.exe
        54⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630734.exe
        55⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630765.exe
        55⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630843.exe
        56⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4556
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        57⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631015.exe
        58⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4348
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        59⤵
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631500.exe
        60⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631531.exe
        60⤵
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631656.exe
        61⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631718.exe
        61⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631812.exe
        62⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631828.exe
        62⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631953.exe
        63⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632000.exe
        63⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632078.exe
        64⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632093.exe
        64⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632203.exe
        65⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632359.exe
        65⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631078.exe
        58⤵
        
        PID:4748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631218.exe
        59⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631281.exe
        59⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631343.exe
        60⤵
        
        PID:4440
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631390.exe
        60⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631468.exe
        61⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631484.exe
        61⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631609.exe
        62⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631625.exe
        62⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631687.exe
        63⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631703.exe
        63⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630890.exe
        56⤵
        
        PID:3364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630046.exe
        50⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629281.exe
        44⤵
        
        PID:2140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629375.exe
        45⤵
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629390.exe
        45⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629437.exe
        46⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629453.exe
        46⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629500.exe
        47⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4844
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        48⤵
        
        PID:4412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629718.exe
        49⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629734.exe
        49⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629812.exe
        50⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629843.exe
        50⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629890.exe
        51⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629921.exe
        51⤵
        
        PID:3788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629968.exe
        52⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630015.exe
        52⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630187.exe
        53⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630218.exe
        53⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629546.exe
        47⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629578.exe
        48⤵
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629609.exe
        48⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628921.exe
        42⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629000.exe
        43⤵
        
        PID:1288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629046.exe
        43⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629109.exe
        44⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629156.exe
        44⤵
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629203.exe
        45⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629234.exe
        45⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629296.exe
        46⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629328.exe
        46⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628718.exe
        40⤵
        
        PID:100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628781.exe
        41⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628796.exe
        41⤵
        
        PID:3480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628859.exe
        42⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628875.exe
        42⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628984.exe
        43⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629031.exe
        43⤵
        
        PID:712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629062.exe
        44⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629140.exe
        44⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628406.exe
        38⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628453.exe
        39⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628484.exe
        39⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628546.exe
        40⤵
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628562.exe
        40⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628078.exe
        35⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628140.exe
        36⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628171.exe
        36⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628218.exe
        37⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628234.exe
        37⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628281.exe
        38⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628328.exe
        38⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627765.exe
        33⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627812.exe
        34⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627843.exe
        34⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627921.exe
        35⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627937.exe
        35⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627546.exe
        31⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627625.exe
        32⤵
        
        PID:2684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627656.exe
        32⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627687.exe
        33⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627703.exe
        33⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627250.exe
        29⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627328.exe
        30⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627375.exe
        30⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627437.exe
        31⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627453.exe
        31⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626875.exe
        27⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626328.exe
        23⤵
        Executes dropped EXE
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626421.exe
        24⤵
        Executes dropped EXE
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626453.exe
        24⤵
        Executes dropped EXE
        
        PID:776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626515.exe
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1880
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        Executes dropped EXE
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626828.exe
        27⤵
        Executes dropped EXE
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626859.exe
        27⤵
        Executes dropped EXE
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627109.exe
        28⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627140.exe
        28⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627171.exe
        29⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627203.exe
        29⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626562.exe
        25⤵
        Executes dropped EXE
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626078.exe
        21⤵
        Executes dropped EXE
        
        PID:2836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626156.exe
        22⤵
        Executes dropped EXE
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626171.exe
        22⤵
        Executes dropped EXE
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626312.exe
        23⤵
        Executes dropped EXE
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626343.exe
        23⤵
        Executes dropped EXE
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625781.exe
        19⤵
        Executes dropped EXE
        
        PID:4020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625843.exe
        20⤵
        Executes dropped EXE
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625937.exe
        20⤵
        Executes dropped EXE
        
        PID:2548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626000.exe
        21⤵
        Executes dropped EXE
        
        PID:3876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626015.exe
        21⤵
        Executes dropped EXE
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624312.exe
        17⤵
        Executes dropped EXE
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624484.exe
        18⤵
        Executes dropped EXE
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625546.exe
        18⤵
        Executes dropped EXE
        
        PID:3636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625640.exe
        19⤵
        Executes dropped EXE
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625703.exe
        19⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623921.exe
        15⤵
        Executes dropped EXE
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624062.exe
        16⤵
        Executes dropped EXE
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624093.exe
        16⤵
        Executes dropped EXE
        
        PID:560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624343.exe
        17⤵
        Executes dropped EXE
        
        PID:1584
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624406.exe
        17⤵
        Executes dropped EXE
        
        PID:4780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623046.exe
        13⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623140.exe
        14⤵
        Executes dropped EXE
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623187.exe
        14⤵
        Executes dropped EXE
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622187.exe
        11⤵
        Executes dropped EXE
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621984.exe
        9⤵
        Executes dropped EXE
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621437.exe
        7⤵
        Executes dropped EXE
        
        PID:2164
    - - C:\Users\Admin\AppData\Local\Temp\tmp240620796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620796.exe
        5⤵
        Executes dropped EXE
        
        PID:772
- - C:\Users\Admin\AppData\Local\Temp\tmp240620140.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240620140.exe
    3⤵
    - Executes dropped EXE
    PID:3188

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:4200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240620062.exe

Filesize
1.7MB

MD5
6779ce241ef42c0d4fa5a0f696d33e92

SHA1
4ab56181194100b613c01303c8bd2a500ace7e69

SHA256
ef0f82b472aab1edf99b46c71976a7d823d3e9c903e45e0a79f770c57fc61160

SHA512
7e70bfa3a4925a6a88192201a2a9258586f7878d9e7802087e18b8659541b77c2e802e3615075ac8c59a1ba45b3376b8243e0d91a52889e8e85ce056304bb9c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240620140.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
1.8MB

MD5
3232305568cccbaab841f61c74057c5d

SHA1
d123685797f6e196684630040e9fa4983f740869

SHA256
87c6f9372989826bbd388ebbb55508abf4f9823bb44cd54774561cdfeaf7ccbf

SHA512
5406ecc51321f695306127817f5c5edcc3b07528640e94b8bfc9ebb77023a49a562a16778b5cb11e04b2a04672300de0115880f6bf7b0f8c94dcc8633921c356

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
5.2MB

MD5
f4c19742e431c95c1055d454a5595f70

SHA1
b5775b2ad0e51a547c42a5450d82fd9564cca771

SHA256
b120ea5a44399f0736f48be0fa921ea105d41ea254e8833706c77e3abc8e1860

SHA512
831d35ea5d8dcd87c6f521dc9c2d416cd2d55432dfd7b1ffc15972b48968398da6d68f3dd90525519d558982255404b9ab7510f6c6923e2fb1d84b4f4c22d2ae

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
3.5MB

MD5
a83492b84b3d85f075e6951bf4f88768

SHA1
fcb197370fea50f8098d9c3a7d9625ff636d494b

SHA256
1d8c70af4a5fb0efa045a42301c43aef5541ba2a3152aee84ce1fa79e2e5c067

SHA512
49a91da713cd8f6c3ca02b1fd290245ad637a68fb347ce2fc4323b7145ef4fcec5765d4d8e663dca015200637ba9003009d39bd424d712b03faf076893c3159b

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
memory/100-480-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/100-670-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/100-659-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/100-494-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/212-44-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/212-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/324-753-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/336-348-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/392-393-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/392-372-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/436-310-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/440-676-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/440-702-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/452-428-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/452-215-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/560-257-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/640-351-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/640-367-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/700-432-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/712-751-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/712-710-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/712-383-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/776-385-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/776-368-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/820-89-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/820-308-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/820-324-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/896-763-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/964-178-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/964-157-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1056-391-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1056-401-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1204-357-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1228-370-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1260-463-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1260-440-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1280-164-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1280-144-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1368-513-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1368-528-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1416-715-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1416-733-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1516-496-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1516-502-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1584-253-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1600-168-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1668-420-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1696-363-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1824-265-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1832-437-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1832-447-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1880-402-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1880-579-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1900-605-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1900-588-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1904-726-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1904-765-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1932-397-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2140-766-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2260-112-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2360-271-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2408-602-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2504-552-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2548-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2548-639-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2696-234-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2696-210-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2704-714-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2704-696-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2736-66-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2784-328-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2836-333-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2836-325-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2844-441-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3080-264-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3080-249-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3080-22-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3100-478-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3188-442-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3384-109-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3428-566-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3480-671-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3480-690-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3504-468-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3580-141-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3636-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3668-185-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3876-305-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3928-512-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3928-505-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3928-334-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3992-477-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3996-275-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3996-291-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4020-293-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4020-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4132-220-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4212-87-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4308-422-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4308-435-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4312-21-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4312-42-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4324-272-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4348-525-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4348-540-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4484-658-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4484-646-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4488-723-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4488-335-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4488-116-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4488-122-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4488-359-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4488-681-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4492-186-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4492-208-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4604-403-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4604-424-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4624-45-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4844-618-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4844-631-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4884-299-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4932-255-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4932-218-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4936-576-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4936-586-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4948-617-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4948-604-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5008-470-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5008-457-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5028-479-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download