c1492f83bf7e7e40541318e27fd7062d7e4d2319100feb9627c6f2aac98644b4

Analysis

max time kernel
68s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/09/2024, 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dce7b4d4b69ab0a740d898d331a08620N.exe
Size

5.5MB
MD5

dce7b4d4b69ab0a740d898d331a08620
SHA1

20093ed2389ba386df3c185307b8d6f22736a31f
SHA256

c1492f83bf7e7e40541318e27fd7062d7e4d2319100feb9627c6f2aac98644b4
SHA512

713b1bcf8c2db2f617b46217689d83c320f2b264f1da7ade450e7765eba3bc77cf302d4491444cb64841774cb2590bbe24c28ba6dd3cb343cef2ea9801da7441
SSDEEP

98304:Az5W8z5WNz5W+z5Wrz5Wwz5Wdz5W8z5WNz5W+z5Wrz5Wwz5WVeRg5W05W:lR

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 61 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240612546.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240626375.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240661968.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240666656.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240616531.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240627515.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240648234.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240664484.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240626921.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240640984.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240653046.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240674593.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240656812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240671484.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240616203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240628515.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240633968.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240642281.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240645406.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240675781.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240620031.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240637687.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240656062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240659062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240673359.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240630015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240651734.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240659937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240663296.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240625312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240625781.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240631062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240643250.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240654312.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240678875.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240614296.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240614750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240631687.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240635734.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240644171.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240629046.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240632171.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240646421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240650781.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240665703.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240634718.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240648843.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240657656.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240661015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240633187.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240639593.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240640187.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240669546.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240672546.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240613578.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240649937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240677546.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240623437.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240636593.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240667562.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	tmp240639000.exe

Executes dropped EXE 64 IoCs

pid	Process
1152	tmp240612546.exe
4120	tmp240612609.exe
3232	notpad.exe
4788	tmp240613578.exe
4488	tmp240613921.exe
1476	notpad.exe
2912	tmp240614296.exe
1728	tmp240614546.exe
3528	notpad.exe
3688	tmp240614750.exe
536	tmp240614796.exe
968	notpad.exe
4212	tmp240616203.exe
832	tmp240616265.exe
1576	notpad.exe
1284	tmp240616531.exe
3628	tmp240616484.exe
3556	tmp240616578.exe
4312	tmp240616609.exe
4700	tmp240616703.exe
556	tmp240616765.exe
4388	notpad.exe
4688	tmp240620031.exe
1780	tmp240620828.exe
3892	tmp240620968.exe
3724	tmp240621031.exe
2748	tmp240621250.exe
3932	tmp240621328.exe
3496	notpad.exe
3256	tmp240623437.exe
3276	tmp240623500.exe
4596	tmp240623671.exe
1564	notpad.exe
2592	tmp240624359.exe
1516	tmp240625312.exe
1636	tmp240625359.exe
2388	tmp240625437.exe
4836	tmp240625375.exe
4048	tmp240625562.exe
2956	tmp240625609.exe
2896	tmp240625578.exe
3308	notpad.exe
3356	tmp240625656.exe
908	tmp240625781.exe
3628	tmp240625796.exe
2516	tmp240625828.exe
4700	tmp240625859.exe
2272	tmp240626000.exe
4884	tmp240626015.exe
1100	tmp240626078.exe
2404	tmp240626046.exe
4992	tmp240626171.exe
2220	tmp240626203.exe
3068	tmp240626265.exe
2984	tmp240626312.exe
1404	notpad.exe
4156	tmp240626375.exe
760	tmp240626421.exe
1152	tmp240626578.exe
1368	tmp240626625.exe
3932	tmp240626750.exe
2072	tmp240626781.exe
2160	notpad.exe
1060	tmp240626921.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2312-0-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2312-9-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000023436-21.dat	upx
behavioral2/memory/3232-32-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000023432-38.dat	upx
behavioral2/memory/3232-52-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1476-54-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1476-72-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3528-77-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3528-87-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0008000000023436-107.dat	upx
behavioral2/memory/968-129-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1576-131-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/832-156-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1576-163-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4312-173-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4312-160-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x00090000000006cf-184.dat	upx
behavioral2/memory/4388-204-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3724-224-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1780-227-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3724-237-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x000700000002344d-240.dat	upx
behavioral2/memory/3496-241-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3276-256-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3496-263-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1564-267-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2592-272-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3276-276-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2592-289-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1564-292-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4836-298-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2388-307-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4836-314-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3308-333-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3356-335-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2516-331-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4700-353-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2516-356-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2404-368-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2220-376-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1404-390-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/760-404-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1368-415-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2072-413-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2180-432-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2072-430-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2180-445-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2160-449-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4980-461-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2264-463-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3972-477-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2872-475-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4048-479-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4980-491-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4048-499-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3400-497-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3400-510-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1276-507-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2872-515-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1276-528-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4928-533-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4400-531-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2380-538-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240645406.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240649937.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240663296.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240614296.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240623437.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240631687.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240633968.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240639000.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240640984.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240659062.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240613578.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240623437.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240648234.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240667562.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240626921.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240639000.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240647359.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240659937.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240678875.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240614296.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240614750.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240620031.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240650781.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240657656.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240674593.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240616203.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240626375.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240633968.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240661968.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240664484.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240627515.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240635734.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240639593.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240665703.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240612546.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240643250.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240657656.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240677546.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240614750.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240626921.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240631062.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240637687.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240654312.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240674593.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240675781.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240612546.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240616531.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240626375.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240636593.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240640984.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240654312.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240656812.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240677546.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240647359.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240613578.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240630015.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240646421.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240648843.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240633187.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240616203.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240632171.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240643250.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240648843.exe
File opened for modification	C:\Windows\SysWOW64\fsb.stb	tmp240659062.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240652703.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240659140.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240659296.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240665437.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240671562.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240638359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240648984.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240661328.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240673125.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240616531.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240632906.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240633968.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240638015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240613578.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240642750.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240648812.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240665359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240666656.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240670671.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240678187.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240654296.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240663703.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240664281.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240664968.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240670328.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240675890.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240616765.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240667531.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240679375.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240644359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240655640.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240675609.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240641031.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240657703.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240662015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240664953.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240665390.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240671703.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240636296.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240646078.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240655484.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240634921.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240649890.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240654390.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240660453.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240624359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240630406.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240639500.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240640218.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240673593.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240680562.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240643093.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240643671.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240659171.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240627703.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240630859.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240646515.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240654984.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240633312.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240643375.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240652640.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240656859.exe

Modifies registry class 62 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240666656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240672546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240626375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240634718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240635734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240656062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240656812.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240614296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240616203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240625781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240633968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240650781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240612546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240639593.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240654312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240657656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240677546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240667562.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240675781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240632171.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240644171.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240646421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240647359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240649937.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240626921.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240651734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240659937.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240665703.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240629046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240643250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240648234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240664484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240630015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240648843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240659062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240669546.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240673359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240636593.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240639000.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240640984.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240671484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240616531.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240625312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240628515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240631062.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240642281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240613578.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240620031.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240637687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240653046.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240674593.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240678875.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240663296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240623437.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240633187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240640187.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240661015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240661968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240627515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240645406.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240614750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240631687.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 1152	2312	dce7b4d4b69ab0a740d898d331a08620N.exe	83
PID 2312 wrote to memory of 1152	2312	dce7b4d4b69ab0a740d898d331a08620N.exe	83
PID 2312 wrote to memory of 1152	2312	dce7b4d4b69ab0a740d898d331a08620N.exe	83
PID 2312 wrote to memory of 4120	2312	dce7b4d4b69ab0a740d898d331a08620N.exe	84
PID 2312 wrote to memory of 4120	2312	dce7b4d4b69ab0a740d898d331a08620N.exe	84
PID 2312 wrote to memory of 4120	2312	dce7b4d4b69ab0a740d898d331a08620N.exe	84
PID 1152 wrote to memory of 3232	1152	tmp240612546.exe	85
PID 1152 wrote to memory of 3232	1152	tmp240612546.exe	85
PID 1152 wrote to memory of 3232	1152	tmp240612546.exe	85
PID 3232 wrote to memory of 4788	3232	notpad.exe	87
PID 3232 wrote to memory of 4788	3232	notpad.exe	87
PID 3232 wrote to memory of 4788	3232	notpad.exe	87
PID 3232 wrote to memory of 4488	3232	notpad.exe	89
PID 3232 wrote to memory of 4488	3232	notpad.exe	89
PID 3232 wrote to memory of 4488	3232	notpad.exe	89
PID 4788 wrote to memory of 1476	4788	tmp240613578.exe	90
PID 4788 wrote to memory of 1476	4788	tmp240613578.exe	90
PID 4788 wrote to memory of 1476	4788	tmp240613578.exe	90
PID 1476 wrote to memory of 2912	1476	notpad.exe	91
PID 1476 wrote to memory of 2912	1476	notpad.exe	91
PID 1476 wrote to memory of 2912	1476	notpad.exe	91
PID 1476 wrote to memory of 1728	1476	notpad.exe	92
PID 1476 wrote to memory of 1728	1476	notpad.exe	92
PID 1476 wrote to memory of 1728	1476	notpad.exe	92
PID 2912 wrote to memory of 3528	2912	tmp240614296.exe	93
PID 2912 wrote to memory of 3528	2912	tmp240614296.exe	93
PID 2912 wrote to memory of 3528	2912	tmp240614296.exe	93
PID 3528 wrote to memory of 3688	3528	notpad.exe	94
PID 3528 wrote to memory of 3688	3528	notpad.exe	94
PID 3528 wrote to memory of 3688	3528	notpad.exe	94
PID 3528 wrote to memory of 536	3528	notpad.exe	95
PID 3528 wrote to memory of 536	3528	notpad.exe	95
PID 3528 wrote to memory of 536	3528	notpad.exe	95
PID 3688 wrote to memory of 968	3688	tmp240614750.exe	97
PID 3688 wrote to memory of 968	3688	tmp240614750.exe	97
PID 3688 wrote to memory of 968	3688	tmp240614750.exe	97
PID 968 wrote to memory of 4212	968	notpad.exe	98
PID 968 wrote to memory of 4212	968	notpad.exe	98
PID 968 wrote to memory of 4212	968	notpad.exe	98
PID 968 wrote to memory of 832	968	notpad.exe	99
PID 968 wrote to memory of 832	968	notpad.exe	99
PID 968 wrote to memory of 832	968	notpad.exe	99
PID 4212 wrote to memory of 1576	4212	tmp240616203.exe	100
PID 4212 wrote to memory of 1576	4212	tmp240616203.exe	100
PID 4212 wrote to memory of 1576	4212	tmp240616203.exe	100
PID 832 wrote to memory of 1284	832	tmp240616265.exe	102
PID 832 wrote to memory of 1284	832	tmp240616265.exe	102
PID 832 wrote to memory of 1284	832	tmp240616265.exe	102
PID 1576 wrote to memory of 3628	1576	notpad.exe	135
PID 1576 wrote to memory of 3628	1576	notpad.exe	135
PID 1576 wrote to memory of 3628	1576	notpad.exe	135
PID 832 wrote to memory of 3556	832	tmp240616265.exe	103
PID 832 wrote to memory of 3556	832	tmp240616265.exe	103
PID 832 wrote to memory of 3556	832	tmp240616265.exe	103
PID 1576 wrote to memory of 4312	1576	notpad.exe	104
PID 1576 wrote to memory of 4312	1576	notpad.exe	104
PID 1576 wrote to memory of 4312	1576	notpad.exe	104
PID 4312 wrote to memory of 4700	4312	tmp240616609.exe	137
PID 4312 wrote to memory of 4700	4312	tmp240616609.exe	137
PID 4312 wrote to memory of 4700	4312	tmp240616609.exe	137
PID 4312 wrote to memory of 556	4312	tmp240616609.exe	106
PID 4312 wrote to memory of 556	4312	tmp240616609.exe	106
PID 4312 wrote to memory of 556	4312	tmp240616609.exe	106
PID 1284 wrote to memory of 4388	1284	tmp240616531.exe	109

C:\Users\Admin\AppData\Local\Temp\dce7b4d4b69ab0a740d898d331a08620N.exe
"C:\Users\Admin\AppData\Local\Temp\dce7b4d4b69ab0a740d898d331a08620N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\tmp240612546.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240612546.exe
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:3232
  - - C:\Users\Admin\AppData\Local\Temp\tmp240613578.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240613578.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4788
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1476
      - C:\Users\Admin\AppData\Local\Temp\tmp240614296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614296.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614750.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3688
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616203.exe
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4212
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616484.exe
        12⤵
        Executes dropped EXE
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616609.exe
        12⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616703.exe
        13⤵
        Executes dropped EXE
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616765.exe
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616265.exe
        10⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616531.exe
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:1284
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        12⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620031.exe
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4688
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        14⤵
        Executes dropped EXE
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623437.exe
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:3256
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        16⤵
        Executes dropped EXE
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625312.exe
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:1516
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625781.exe
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:908
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        20⤵
        Executes dropped EXE
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626375.exe
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:4156
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        22⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627015.exe
        23⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627062.exe
        23⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627296.exe
        24⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627343.exe
        24⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627515.exe
        25⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2988
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        26⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628515.exe
        27⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2688
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        28⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629046.exe
        29⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1028
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        30⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629859.exe
        31⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629937.exe
        31⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630437.exe
        32⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630500.exe
        32⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630828.exe
        33⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630859.exe
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631015.exe
        34⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631046.exe
        34⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631265.exe
        35⤵
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631343.exe
        35⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631484.exe
        36⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631531.exe
        36⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631593.exe
        37⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631640.exe
        37⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629171.exe
        29⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629546.exe
        30⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629578.exe
        30⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629828.exe
        31⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629875.exe
        31⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630109.exe
        32⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630171.exe
        32⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630406.exe
        33⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630468.exe
        33⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630656.exe
        34⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630703.exe
        34⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630765.exe
        35⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630812.exe
        35⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628562.exe
        27⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628906.exe
        28⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628937.exe
        28⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629156.exe
        29⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629203.exe
        29⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629484.exe
        30⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629562.exe
        30⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629750.exe
        31⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629796.exe
        31⤵
        
        PID:3188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630015.exe
        32⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1532
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631062.exe
        34⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:744
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631687.exe
        36⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1636
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632312.exe
        38⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632484.exe
        38⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632906.exe
        39⤵
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631750.exe
        36⤵
        
        PID:4980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632125.exe
        37⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632156.exe
        37⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632859.exe
        38⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632953.exe
        38⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633203.exe
        39⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633265.exe
        39⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633578.exe
        40⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633640.exe
        40⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633781.exe
        41⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633812.exe
        41⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633953.exe
        42⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634000.exe
        42⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634125.exe
        43⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634218.exe
        43⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631109.exe
        34⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631500.exe
        35⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631562.exe
        35⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631812.exe
        36⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631875.exe
        36⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632171.exe
        37⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3572
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        38⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633390.exe
        39⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633453.exe
        39⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633875.exe
        40⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633906.exe
        40⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634296.exe
        41⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634359.exe
        41⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634640.exe
        42⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634687.exe
        42⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634921.exe
        43⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634984.exe
        43⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635234.exe
        44⤵
        
        PID:4300
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635296.exe
        44⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635421.exe
        45⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635484.exe
        45⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635546.exe
        46⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635609.exe
        46⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632468.exe
        37⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632812.exe
        38⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632921.exe
        38⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633062.exe
        39⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633093.exe
        39⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633187.exe
        40⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3232
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633968.exe
        42⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634718.exe
        44⤵
        Checks computer location settings
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635750.exe
        46⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635828.exe
        46⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636296.exe
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636656.exe
        47⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637078.exe
        48⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637125.exe
        48⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637359.exe
        49⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637406.exe
        49⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637625.exe
        50⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637656.exe
        50⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637859.exe
        51⤵
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637906.exe
        51⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638078.exe
        52⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638140.exe
        52⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638203.exe
        53⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638250.exe
        53⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634796.exe
        44⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635312.exe
        45⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635390.exe
        45⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635734.exe
        46⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636765.exe
        48⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636843.exe
        48⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637187.exe
        49⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637218.exe
        49⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637687.exe
        50⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:632
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639031.exe
        52⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639078.exe
        52⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639515.exe
        53⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639656.exe
        53⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640078.exe
        54⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640125.exe
        54⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640593.exe
        55⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640671.exe
        55⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640984.exe
        56⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4928
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        57⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642281.exe
        58⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        59⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643281.exe
        60⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643343.exe
        60⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643890.exe
        61⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643953.exe
        61⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644296.exe
        62⤵
        
        PID:4324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644359.exe
        62⤵
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644718.exe
        63⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644984.exe
        63⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645250.exe
        64⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645296.exe
        64⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645609.exe
        65⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645687.exe
        65⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645953.exe
        66⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646078.exe
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646234.exe
        67⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646296.exe
        67⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646484.exe
        68⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646562.exe
        68⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642359.exe
        58⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642937.exe
        59⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643015.exe
        59⤵
        
        PID:1120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643671.exe
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643734.exe
        60⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644000.exe
        61⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644046.exe
        61⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644343.exe
        62⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644406.exe
        62⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644750.exe
        63⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644953.exe
        63⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645109.exe
        64⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645171.exe
        64⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645406.exe
        65⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2696
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        66⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646453.exe
        67⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646515.exe
        67⤵
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646968.exe
        68⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647046.exe
        68⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647546.exe
        69⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647671.exe
        69⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648078.exe
        70⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648109.exe
        70⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648421.exe
        71⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648531.exe
        71⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648812.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648984.exe
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649265.exe
        73⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649453.exe
        73⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649750.exe
        74⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649796.exe
        74⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649843.exe
        75⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649890.exe
        75⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645484.exe
        65⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645703.exe
        66⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645828.exe
        66⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641078.exe
        56⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641406.exe
        57⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641531.exe
        57⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641781.exe
        58⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642203.exe
        58⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642437.exe
        59⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642562.exe
        59⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642781.exe
        60⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642859.exe
        60⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637734.exe
        50⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638093.exe
        51⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638234.exe
        51⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638500.exe
        52⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638812.exe
        52⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639000.exe
        53⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1748
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        54⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639718.exe
        55⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639828.exe
        55⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640187.exe
        56⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2480
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        57⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641031.exe
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641234.exe
        58⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641765.exe
        59⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642046.exe
        59⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642750.exe
        60⤵
        System Location Discovery: System Language Discovery
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642828.exe
        60⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643250.exe
        61⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:432
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        62⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644171.exe
        63⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        64⤵
        
        PID:2356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645281.exe
        65⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645328.exe
        65⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645937.exe
        66⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645984.exe
        66⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646406.exe
        67⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646437.exe
        67⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646890.exe
        68⤵
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647015.exe
        68⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647359.exe
        69⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4820
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        70⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648250.exe
        71⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648328.exe
        71⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648843.exe
        72⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3892
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        73⤵
        System Location Discovery: System Language Discovery
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649953.exe
        74⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649984.exe
        74⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650515.exe
        75⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650593.exe
        75⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651312.exe
        76⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651390.exe
        76⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651984.exe
        77⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652250.exe
        77⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652718.exe
        78⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652828.exe
        78⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653203.exe
        79⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653281.exe
        79⤵
        
        PID:3204
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653609.exe
        80⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653703.exe
        80⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654000.exe
        81⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654046.exe
        81⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654125.exe
        82⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654250.exe
        82⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648953.exe
        72⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649343.exe
        73⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649406.exe
        73⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649859.exe
        74⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650296.exe
        74⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650656.exe
        75⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650734.exe
        75⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651328.exe
        76⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651468.exe
        76⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651828.exe
        77⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651921.exe
        77⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652187.exe
        78⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652421.exe
        78⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652578.exe
        79⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652687.exe
        79⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647515.exe
        69⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647750.exe
        70⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647859.exe
        70⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648031.exe
        71⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648093.exe
        71⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648234.exe
        72⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3496
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        73⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649234.exe
        74⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649296.exe
        74⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649937.exe
        75⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3020
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        76⤵
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650781.exe
        77⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4324
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        78⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651734.exe
        79⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1908
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        80⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653375.exe
        81⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653515.exe
        81⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654078.exe
        82⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654171.exe
        82⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655015.exe
        83⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655078.exe
        83⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655453.exe
        84⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655484.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655859.exe
        85⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655921.exe
        85⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656156.exe
        86⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656250.exe
        86⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656468.exe
        87⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656531.exe
        87⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656671.exe
        88⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656718.exe
        88⤵
        
        PID:2340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656859.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656921.exe
        89⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651812.exe
        79⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652562.exe
        80⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652640.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653171.exe
        81⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653359.exe
        81⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653812.exe
        82⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653859.exe
        82⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654156.exe
        83⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654234.exe
        83⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654984.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655046.exe
        84⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655359.exe
        85⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655421.exe
        85⤵
        
        PID:4308
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655578.exe
        86⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655640.exe
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655781.exe
        87⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655843.exe
        87⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650875.exe
        77⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651296.exe
        78⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651656.exe
        78⤵
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652281.exe
        79⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652359.exe
        79⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652812.exe
        80⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652906.exe
        80⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653250.exe
        81⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653296.exe
        81⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653718.exe
        82⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653781.exe
        82⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654062.exe
        83⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654140.exe
        83⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654312.exe
        84⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4756
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        85⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656062.exe
        86⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3332
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        87⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656812.exe
        88⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4144
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        89⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657671.exe
        90⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657734.exe
        90⤵
        
        PID:4092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658187.exe
        91⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658265.exe
        91⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659062.exe
        92⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3724
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        93⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659937.exe
        94⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1964
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        95⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661078.exe
        96⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661281.exe
        96⤵
        
        PID:1404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661968.exe
        97⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2404
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        98⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663562.exe
        99⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663640.exe
        99⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664296.exe
        100⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664359.exe
        100⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664921.exe
        101⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665000.exe
        101⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665437.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665500.exe
        102⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665828.exe
        103⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665937.exe
        103⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666281.exe
        104⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666359.exe
        104⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666625.exe
        105⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666671.exe
        105⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666890.exe
        106⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666984.exe
        106⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667265.exe
        107⤵
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667296.exe
        107⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667406.exe
        108⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667437.exe
        108⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662046.exe
        97⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662593.exe
        98⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662750.exe
        98⤵
        
        PID:2544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663296.exe
        99⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1952
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        100⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664546.exe
        101⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664640.exe
        101⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665359.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665453.exe
        102⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666187.exe
        103⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666406.exe
        103⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666781.exe
        104⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666843.exe
        104⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667359.exe
        105⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667546.exe
        105⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668000.exe
        106⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668125.exe
        106⤵
        
        PID:3320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668468.exe
        107⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669203.exe
        107⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669546.exe
        108⤵
        Checks computer location settings
        Modifies registry class
        
        PID:2160
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        109⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671484.exe
        110⤵
        Checks computer location settings
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        111⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672296.exe
        112⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672437.exe
        112⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673093.exe
        113⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673125.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673625.exe
        114⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673687.exe
        114⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674218.exe
        115⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674250.exe
        115⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674734.exe
        116⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674828.exe
        116⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675265.exe
        117⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675343.exe
        117⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675781.exe
        118⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1756
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        119⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677546.exe
        120⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:3740
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        121⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678875.exe
        122⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        123⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681218.exe
        124⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681421.exe
        124⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682125.exe
        125⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682171.exe
        125⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678968.exe
        122⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679718.exe
        123⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679796.exe
        123⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680406.exe
        124⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680500.exe
        124⤵
        
        PID:3620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681093.exe
        125⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        126⤵
        
        PID:436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682140.exe
        127⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682218.exe
        127⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681125.exe
        125⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681734.exe
        126⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681828.exe
        126⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682109.exe
        127⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682156.exe
        127⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677703.exe
        120⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678531.exe
        121⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678609.exe
        121⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679234.exe
        122⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679375.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:1908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680046.exe
        123⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680140.exe
        123⤵
        
        PID:3148
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680562.exe
        124⤵
        System Location Discovery: System Language Discovery
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680671.exe
        124⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681109.exe
        125⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681140.exe
        125⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681484.exe
        126⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681593.exe
        126⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681968.exe
        127⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682046.exe
        127⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682265.exe
        128⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682375.exe
        128⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675812.exe
        118⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676375.exe
        119⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676500.exe
        119⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677390.exe
        120⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677500.exe
        120⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677718.exe
        121⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677828.exe
        121⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678109.exe
        122⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678203.exe
        122⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671531.exe
        110⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672546.exe
        111⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1856
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        112⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673593.exe
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673718.exe
        113⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674296.exe
        114⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674375.exe
        114⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675109.exe
        115⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675218.exe
        115⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675796.exe
        116⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675843.exe
        116⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677109.exe
        117⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677156.exe
        117⤵
        
        PID:1420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677656.exe
        118⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677750.exe
        118⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678250.exe
        119⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678343.exe
        119⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678671.exe
        120⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678718.exe
        120⤵
        
        PID:832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679046.exe
        121⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679156.exe
        121⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679468.exe
        122⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679625.exe
        122⤵
        
        PID:1748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679781.exe
        123⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679890.exe
        123⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672625.exe
        111⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673187.exe
        112⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673265.exe
        112⤵
        
        PID:5068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673640.exe
        113⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673843.exe
        113⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674234.exe
        114⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674281.exe
        114⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674656.exe
        115⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674765.exe
        115⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675234.exe
        116⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675296.exe
        116⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675531.exe
        117⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675609.exe
        117⤵
        System Location Discovery: System Language Discovery
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675890.exe
        118⤵
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675968.exe
        118⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676296.exe
        119⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676406.exe
        119⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677312.exe
        120⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677484.exe
        120⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669625.exe
        108⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669906.exe
        109⤵
        
        PID:4568
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669953.exe
        109⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670203.exe
        110⤵
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670281.exe
        110⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663375.exe
        99⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663859.exe
        100⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664109.exe
        100⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664484.exe
        101⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        102⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665781.exe
        103⤵
        
        PID:1520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666000.exe
        103⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666656.exe
        104⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2396
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        105⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667562.exe
        106⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:716
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        107⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669250.exe
        108⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669312.exe
        108⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670000.exe
        109⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670390.exe
        109⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670984.exe
        110⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671078.exe
        110⤵
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671515.exe
        111⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671562.exe
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672125.exe
        112⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672171.exe
        112⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672421.exe
        113⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672468.exe
        113⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672734.exe
        114⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672812.exe
        114⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673109.exe
        115⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673171.exe
        115⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673359.exe
        116⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4492
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        117⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674593.exe
        118⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:968
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        119⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675906.exe
        120⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676031.exe
        120⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677265.exe
        121⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677343.exe
        121⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678187.exe
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678265.exe
        122⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678812.exe
        123⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678906.exe
        123⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679734.exe
        124⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679812.exe
        124⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680265.exe
        125⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680343.exe
        125⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680718.exe
        126⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680812.exe
        126⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681156.exe
        127⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681359.exe
        127⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681656.exe
        128⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681718.exe
        128⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240681921.exe
        129⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682000.exe
        129⤵
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682234.exe
        130⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240682328.exe
        130⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240674640.exe
        118⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675312.exe
        119⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675406.exe
        119⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240675953.exe
        120⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240676140.exe
        120⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677078.exe
        121⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677125.exe
        121⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677562.exe
        122⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240677625.exe
        122⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678234.exe
        123⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678296.exe
        123⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678687.exe
        124⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240678781.exe
        124⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679125.exe
        125⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679187.exe
        125⤵
        
        PID:1028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679703.exe
        126⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240679750.exe
        126⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680109.exe
        127⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680187.exe
        127⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680390.exe
        128⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240680468.exe
        128⤵
        
        PID:3052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673421.exe
        116⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673546.exe
        117⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240673609.exe
        117⤵
        
        PID:4524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667640.exe
        106⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668312.exe
        107⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668375.exe
        107⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669218.exe
        108⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669281.exe
        108⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669921.exe
        109⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670031.exe
        109⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670421.exe
        110⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670484.exe
        110⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670812.exe
        111⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670953.exe
        111⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671390.exe
        112⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671687.exe
        112⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672000.exe
        113⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672078.exe
        113⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672218.exe
        114⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672265.exe
        114⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672593.exe
        115⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672671.exe
        115⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666703.exe
        104⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667375.exe
        105⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667421.exe
        105⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667968.exe
        106⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668031.exe
        106⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669375.exe
        107⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669453.exe
        107⤵
        
        PID:532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669875.exe
        108⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669937.exe
        108⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670328.exe
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670453.exe
        109⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670671.exe
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670750.exe
        110⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670968.exe
        111⤵
        
        PID:3980
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671031.exe
        111⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671359.exe
        112⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671421.exe
        112⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664562.exe
        101⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664953.exe
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:4604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665156.exe
        102⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665406.exe
        103⤵
        
        PID:2124
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665593.exe
        103⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665859.exe
        104⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666093.exe
        104⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666265.exe
        105⤵
        
        PID:4704
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666312.exe
        105⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660015.exe
        94⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660656.exe
        95⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660703.exe
        95⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661328.exe
        96⤵
        System Location Discovery: System Language Discovery
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661406.exe
        96⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661796.exe
        97⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661984.exe
        97⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662500.exe
        98⤵
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662875.exe
        98⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663437.exe
        99⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663500.exe
        99⤵
        
        PID:5092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663968.exe
        100⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664031.exe
        100⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664281.exe
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664328.exe
        101⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664718.exe
        102⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664828.exe
        102⤵
        
        PID:4200
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664968.exe
        103⤵
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665218.exe
        103⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659093.exe
        92⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659578.exe
        93⤵
        
        PID:5028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659625.exe
        93⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660078.exe
        94⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660265.exe
        94⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660718.exe
        95⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660781.exe
        95⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661062.exe
        96⤵
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661156.exe
        96⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661390.exe
        97⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661468.exe
        97⤵
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661687.exe
        98⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662015.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662296.exe
        99⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662390.exe
        99⤵
        
        PID:4660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656890.exe
        88⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657421.exe
        89⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657484.exe
        89⤵
        
        PID:1960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657921.exe
        90⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658000.exe
        90⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658406.exe
        91⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658437.exe
        91⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659171.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659265.exe
        92⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659718.exe
        93⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659812.exe
        93⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660046.exe
        94⤵
        
        PID:732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660109.exe
        94⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660453.exe
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660546.exe
        95⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660734.exe
        96⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660937.exe
        96⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661015.exe
        97⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4912
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        98⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662093.exe
        99⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662203.exe
        99⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662968.exe
        100⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663031.exe
        100⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663656.exe
        101⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663750.exe
        101⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664250.exe
        102⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664406.exe
        102⤵
        
        PID:512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664796.exe
        103⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664906.exe
        103⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665390.exe
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665421.exe
        104⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665703.exe
        105⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        106⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666828.exe
        107⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666906.exe
        107⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667468.exe
        108⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240667531.exe
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668062.exe
        109⤵
        
        PID:4376
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240668140.exe
        109⤵
        
        PID:3688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669187.exe
        110⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240669234.exe
        110⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670312.exe
        111⤵
        
        PID:3228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670359.exe
        111⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670734.exe
        112⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240670796.exe
        112⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671218.exe
        113⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671296.exe
        113⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671640.exe
        114⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671703.exe
        114⤵
        System Location Discovery: System Language Discovery
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240671968.exe
        115⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672046.exe
        115⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672234.exe
        116⤵
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240672484.exe
        116⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240665765.exe
        105⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666015.exe
        106⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666078.exe
        106⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666296.exe
        107⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666328.exe
        107⤵
        
        PID:116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666468.exe
        108⤵
        
        PID:5100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240666578.exe
        108⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661093.exe
        97⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656109.exe
        86⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656609.exe
        87⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656765.exe
        87⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657296.exe
        88⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657359.exe
        88⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657656.exe
        89⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1940
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        90⤵
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659140.exe
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:4296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659234.exe
        91⤵
        
        PID:3720
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659984.exe
        92⤵
        
        PID:3232
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660062.exe
        92⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660796.exe
        93⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660859.exe
        93⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661343.exe
        94⤵
        
        PID:372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240661531.exe
        94⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662484.exe
        95⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240662578.exe
        95⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663015.exe
        96⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663078.exe
        96⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663343.exe
        97⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663421.exe
        97⤵
        
        PID:3780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663703.exe
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240663812.exe
        98⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664046.exe
        99⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664140.exe
        99⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664421.exe
        100⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240664500.exe
        100⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657703.exe
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658078.exe
        90⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658156.exe
        90⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658484.exe
        91⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240658546.exe
        91⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659125.exe
        92⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659296.exe
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659640.exe
        93⤵
        
        PID:1136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659703.exe
        93⤵
        
        PID:968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659890.exe
        94⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240659953.exe
        94⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660250.exe
        95⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240660359.exe
        95⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654390.exe
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654921.exe
        85⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654953.exe
        85⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649968.exe
        75⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650453.exe
        76⤵
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650484.exe
        76⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651031.exe
        77⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651359.exe
        77⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651843.exe
        78⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651968.exe
        78⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652343.exe
        79⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652453.exe
        79⤵
        
        PID:872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652703.exe
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652796.exe
        80⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653046.exe
        81⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        82⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654296.exe
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654359.exe
        83⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654968.exe
        84⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655000.exe
        84⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655500.exe
        85⤵
        
        PID:4268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655546.exe
        85⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655890.exe
        86⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240655953.exe
        86⤵
        
        PID:2092
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656375.exe
        87⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656453.exe
        87⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656687.exe
        88⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656734.exe
        88⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240656906.exe
        89⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657031.exe
        89⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657250.exe
        90⤵
        
        PID:4544
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657328.exe
        90⤵
        
        PID:1916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657406.exe
        91⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240657453.exe
        91⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653140.exe
        81⤵
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653312.exe
        82⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653390.exe
        82⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648281.exe
        72⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648406.exe
        73⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648500.exe
        73⤵
        
        PID:3260
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644250.exe
        63⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645015.exe
        64⤵
        
        PID:1856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645093.exe
        64⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645593.exe
        65⤵
        
        PID:64
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645640.exe
        65⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646093.exe
        66⤵
        
        PID:2088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646171.exe
        66⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646421.exe
        67⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4836
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        68⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647140.exe
        69⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647218.exe
        69⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648156.exe
        70⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648218.exe
        70⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648718.exe
        71⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648921.exe
        71⤵
        
        PID:5080
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649328.exe
        72⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649421.exe
        72⤵
        
        PID:4144
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649812.exe
        73⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650031.exe
        73⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650500.exe
        74⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650546.exe
        74⤵
        
        PID:3116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650843.exe
        75⤵
        
        PID:1632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650906.exe
        75⤵
        
        PID:4352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651406.exe
        76⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651500.exe
        76⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651687.exe
        77⤵
        
        PID:672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651781.exe
        77⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646468.exe
        67⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646859.exe
        68⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646937.exe
        68⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647078.exe
        69⤵
        
        PID:1312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647156.exe
        69⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647500.exe
        70⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647578.exe
        70⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647734.exe
        71⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647828.exe
        71⤵
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643312.exe
        61⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643718.exe
        62⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643781.exe
        62⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640234.exe
        56⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640703.exe
        57⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640765.exe
        57⤵
        
        PID:4060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641125.exe
        58⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641171.exe
        58⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641609.exe
        59⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641656.exe
        59⤵
        
        PID:3488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642078.exe
        60⤵
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642156.exe
        60⤵
        
        PID:5000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642500.exe
        61⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642578.exe
        61⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643062.exe
        62⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643125.exe
        62⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643375.exe
        63⤵
        System Location Discovery: System Language Discovery
        
        PID:4120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643484.exe
        63⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639062.exe
        53⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639218.exe
        54⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639343.exe
        54⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639500.exe
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639546.exe
        55⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635781.exe
        46⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636187.exe
        47⤵
        
        PID:1244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636218.exe
        47⤵
        
        PID:3784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636593.exe
        48⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:64
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637421.exe
        50⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637531.exe
        50⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637937.exe
        51⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638015.exe
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638328.exe
        52⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638359.exe
        52⤵
        System Location Discovery: System Language Discovery
        
        PID:4560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638656.exe
        53⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638890.exe
        53⤵
        
        PID:4392
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639093.exe
        54⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639156.exe
        54⤵
        
        PID:828
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639421.exe
        55⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639484.exe
        55⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639593.exe
        56⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1476
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        57⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640218.exe
        58⤵
        System Location Discovery: System Language Discovery
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640281.exe
        58⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640687.exe
        59⤵
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640734.exe
        59⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641140.exe
        60⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641203.exe
        60⤵
        
        PID:1128
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641718.exe
        61⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641750.exe
        61⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642062.exe
        62⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642140.exe
        62⤵
        
        PID:3036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642515.exe
        63⤵
        
        PID:3256
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642593.exe
        63⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642843.exe
        64⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642921.exe
        64⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643093.exe
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643156.exe
        65⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643234.exe
        66⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643328.exe
        66⤵
        
        PID:1640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639640.exe
        56⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639781.exe
        57⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639812.exe
        57⤵
        
        PID:1804
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636734.exe
        48⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636953.exe
        49⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637031.exe
        49⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637203.exe
        50⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637250.exe
        50⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637375.exe
        51⤵
        
        PID:728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637437.exe
        51⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634031.exe
        42⤵
        
        PID:4172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634515.exe
        43⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634562.exe
        43⤵
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634906.exe
        44⤵
        
        PID:3332
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634968.exe
        44⤵
        
        PID:3100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635281.exe
        45⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635343.exe
        45⤵
        
        PID:1140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635562.exe
        46⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635640.exe
        46⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635875.exe
        47⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635953.exe
        47⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636234.exe
        48⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636281.exe
        48⤵
        
        PID:3772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636640.exe
        49⤵
        
        PID:4696
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636703.exe
        49⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633218.exe
        40⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633312.exe
        41⤵
        System Location Discovery: System Language Discovery
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633375.exe
        41⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630078.exe
        32⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630234.exe
        33⤵
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630328.exe
        33⤵
        
        PID:4744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627546.exe
        25⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627703.exe
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627765.exe
        26⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627937.exe
        27⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627984.exe
        27⤵
        
        PID:1276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628046.exe
        28⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628265.exe
        28⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626421.exe
        21⤵
        Executes dropped EXE
        
        PID:760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626578.exe
        22⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626625.exe
        22⤵
        Executes dropped EXE
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626750.exe
        23⤵
        Executes dropped EXE
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626781.exe
        23⤵
        Executes dropped EXE
        
        PID:2072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626921.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        Modifies registry class
        
        PID:1060
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627359.exe
        26⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627406.exe
        26⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627687.exe
        27⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627796.exe
        27⤵
        
        PID:4928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628093.exe
        28⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628296.exe
        28⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628421.exe
        29⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628453.exe
        29⤵
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628625.exe
        30⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628703.exe
        30⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628812.exe
        31⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628859.exe
        31⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626968.exe
        24⤵
        
        PID:2180
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627031.exe
        25⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627093.exe
        25⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625828.exe
        19⤵
        Executes dropped EXE
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626000.exe
        20⤵
        Executes dropped EXE
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626046.exe
        20⤵
        Executes dropped EXE
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626171.exe
        21⤵
        Executes dropped EXE
        
        PID:4992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626203.exe
        21⤵
        Executes dropped EXE
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626265.exe
        22⤵
        Executes dropped EXE
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626312.exe
        22⤵
        Executes dropped EXE
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625375.exe
        17⤵
        Executes dropped EXE
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625578.exe
        18⤵
        Executes dropped EXE
        
        PID:2896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625656.exe
        18⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625796.exe
        19⤵
        Executes dropped EXE
        
        PID:3628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625859.exe
        19⤵
        Executes dropped EXE
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626015.exe
        20⤵
        Executes dropped EXE
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626078.exe
        20⤵
        Executes dropped EXE
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623500.exe
        15⤵
        Executes dropped EXE
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623671.exe
        16⤵
        Executes dropped EXE
        
        PID:4596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624359.exe
        16⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625359.exe
        17⤵
        Executes dropped EXE
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625437.exe
        17⤵
        Executes dropped EXE
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625562.exe
        18⤵
        Executes dropped EXE
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625609.exe
        18⤵
        Executes dropped EXE
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620828.exe
        13⤵
        Executes dropped EXE
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620968.exe
        14⤵
        Executes dropped EXE
        
        PID:3892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621031.exe
        14⤵
        Executes dropped EXE
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621250.exe
        15⤵
        Executes dropped EXE
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621328.exe
        15⤵
        Executes dropped EXE
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616578.exe
        11⤵
        Executes dropped EXE
        
        PID:3556
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614796.exe
        8⤵
        Executes dropped EXE
        
        PID:536
      - C:\Users\Admin\AppData\Local\Temp\tmp240614546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614546.exe
        6⤵
        Executes dropped EXE
        
        PID:1728
  - - C:\Users\Admin\AppData\Local\Temp\tmp240613921.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240613921.exe
      4⤵
      Executes dropped EXE
      PID:4488
- C:\Users\Admin\AppData\Local\Temp\tmp240612609.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240612609.exe
  2⤵
  - Executes dropped EXE
  PID:4120

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
PID:2896

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv d27/6NCJCkaPdmULx8RSaw.0.2
1⤵
PID:2264

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
1⤵
PID:3140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240612546.exe

Filesize
5.4MB

MD5
460ba2285283a2681bb18da100f4305f

SHA1
b96013dc77a8b3c1f99bf82bb2bf830f2651fb8b

SHA256
d4db34479345c2552dff3cb1e0b800a6d4d54d99b8d886eb9baeb59d85901055

SHA512
58a7e5a55de76b44cf9767931161779fa796b4fb2f5f8e4d134d181e1c785c35f70c80962b9d2c578ea0a05f7bf1612d50119580765806461e8c903033b122c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240612609.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240715953.exe

Filesize
4KB

MD5
214226b7c123529f58339aa29b463d11

SHA1
2151e89e3ab32463c72dfd9e2801ff1b2e22a8d6

SHA256
67312aab7ae94ee2a61d78c8a0d342f8983b2a55b94987993c3054a2c627b403

SHA512
2d09504be03c20713ef50e5a01d44aca0adcc400529994532799e757b8b71fe84ce0f13d13afeab52ffc8a09c6c181978fd672450882740b020454a2ceae601e

Download Submit
C:\Windows\SysWOW64\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
5.5MB

MD5
dce7b4d4b69ab0a740d898d331a08620

SHA1
20093ed2389ba386df3c185307b8d6f22736a31f

SHA256
c1492f83bf7e7e40541318e27fd7062d7e4d2319100feb9627c6f2aac98644b4

SHA512
713b1bcf8c2db2f617b46217689d83c320f2b264f1da7ade450e7765eba3bc77cf302d4491444cb64841774cb2590bbe24c28ba6dd3cb343cef2ea9801da7441

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
21.7MB

MD5
5fce646824eec88c56b0f893806f292b

SHA1
00a47e6bf9ca1a1a440482fb9e66894a99977cbf

SHA256
175c9adcedf045d921ec9f82517986bcd853accf98b296f117898f998a1f00c5

SHA512
19a42c35351771408648935a615d49adb6cdfc0d908d3e4164e42d5ae2a36f6f94a15e5e09aa1cdb58758db557ea0e78daeb58ec019f52e15fc3bc5fd91540ca

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
10.9MB

MD5
4f9920bbede9a4eaca5b7bc08b27ed6d

SHA1
33d2b936127c72bbd56fd028b6fca41d5851e15b

SHA256
1aa136a3e8bceba7fb8e89048e6a9ad27b45cff0ea2c27ba7216c846bf186260

SHA512
b46494581a245197c161ad1114e51b7f33f7005e7160249cc72a040c2d958853c7dbc44ed4677f88e75c4cc07565e62e38dd080b5905947ce972d95bee663069

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
16.3MB

MD5
4d28af1291fb0f95c430ec7895cd1f98

SHA1
fc01c3487383ff935fca1574270d59cf3152c0b3

SHA256
c52a0f7c7df1f54fd8419aefd9b9b6f9e02b2b6d771989abf448d3fdf4011c45

SHA512
6c832658f4ada961bdc715f75f365908afc989da21f402fba7a6de3bc8a8096601d3b6959b6631a3153e99cbf54358dd1d7a6fe9b899148f3171a8b284d12c5a

Download Submit
memory/400-704-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/468-632-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/468-665-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/632-679-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/632-637-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/760-404-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/832-156-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/908-378-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/964-439-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/968-129-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1060-456-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1152-30-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1152-399-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1160-648-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1276-528-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1276-507-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1284-702-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1284-185-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1284-715-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1368-415-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1404-390-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1476-54-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1476-72-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1516-492-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1516-310-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1516-666-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1516-684-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1536-578-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1536-591-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1564-267-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1564-292-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1576-131-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1576-163-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1636-297-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1664-634-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1664-612-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1780-227-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1884-767-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1928-436-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/1972-757-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2032-560-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2032-574-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2072-413-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2072-430-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2160-449-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2180-432-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2180-445-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2220-566-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2220-376-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2220-742-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2220-551-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2220-781-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2264-463-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2272-346-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2312-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2312-9-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2380-577-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2380-538-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2388-307-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2404-368-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2480-614-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2516-356-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2516-331-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2592-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2592-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2688-770-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2748-232-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2872-515-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2872-475-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2896-309-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/2908-784-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2908-765-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2912-78-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3068-373-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3068-736-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3120-458-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3188-669-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3220-723-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3232-32-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3232-52-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3256-268-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3276-276-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3276-256-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3276-454-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3308-333-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3356-335-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3400-497-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3400-510-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3488-793-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3496-263-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3496-241-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3528-77-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3528-87-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3628-151-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3628-327-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3688-106-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3724-237-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3724-224-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3892-209-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3932-411-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/3972-477-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4048-308-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4048-479-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4048-499-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4156-419-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4160-732-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4212-686-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4212-133-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4212-654-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4312-160-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4312-173-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4388-204-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4400-531-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4400-553-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4408-606-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4408-587-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4456-625-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4456-604-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4596-266-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4688-243-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4700-168-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4700-353-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4788-55-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4836-298-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4836-314-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4884-351-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download
memory/4928-533-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4980-491-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4980-461-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4992-364-0x0000000000400000-0x000000000040F000-memory.dmp

Filesize
60KB

Download