7f1dac56993ae75321c0f3d4c56e9d28e9904824d2e892aee5c210a886a3cbde

Analysis

max time kernel
38s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 00:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d32f6c099f99453d88f9063bd4127feb_JaffaCakes118.exe
Size

3.0MB
MD5

d32f6c099f99453d88f9063bd4127feb
SHA1

7c08dde881bf7b8d38db63e6e6fe4bf72daba213
SHA256

7f1dac56993ae75321c0f3d4c56e9d28e9904824d2e892aee5c210a886a3cbde
SHA512

d2db63312fe59c6465b0346c7c5372f6450d904f71072d08ad9f6146425cae3da54d144563b1a7a5a359d87df63187d911ea369ca05275b029ab25d9428aa109
SSDEEP

12288:HPFdPZdPNPFdPZdPIPFdPZdPzPFdPZdPSPFdPZdPcSDyTFtj8PjdPZdPFPFdPZdn:1DyTFtjdDyTFtjYDyTFtjSDyTFtj

Score

7^/10

discovery upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240615140.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240646640.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240623687.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240624562.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240629609.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240626640.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240645218.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240623843.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240612562.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240623140.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240643359.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240649359.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240627328.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240628343.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240647937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240620593.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240621515.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240631875.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240647640.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240645984.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240646953.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240613609.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240613718.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240619421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240625781.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240627125.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240613812.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240644359.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240648125.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240614000.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240615390.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240637031.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240647828.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240613078.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240626500.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240627468.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240613437.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240614937.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240622593.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240643781.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240648031.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240628187.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240637578.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240640515.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240648359.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240634062.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240634375.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240644015.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240613203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240618203.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240618875.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240619890.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240621328.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240616546.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240620421.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240621187.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240624281.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240649453.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240615484.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240644656.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240648890.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240634687.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240612468.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	tmp240615234.exe

Executes dropped EXE 64 IoCs

pid	Process
4552	tmp240611828.exe
3560	tmp240611843.exe
5056	tmp240611875.exe
1384	tmp240611890.exe
2060	tmp240611937.exe
940	tmp240611953.exe
3524	tmp240612015.exe
3960	tmp240612031.exe
5088	tmp240612062.exe
4472	tmp240612078.exe
5024	notpad.exe
1020	tmp240612343.exe
960	tmp240612359.exe
2016	notpad.exe
4416	tmp240612468.exe
1588	tmp240612484.exe
456	notpad.exe
8	tmp240612562.exe
2184	tmp240612578.exe
2552	notpad.exe
5052	tmp240612734.exe
3604	tmp240612750.exe
3352	notpad.exe
4508	tmp240612843.exe
4404	tmp240612859.exe
2624	notpad.exe
3328	tmp240612953.exe
2632	tmp240612984.exe
1132	notpad.exe
2036	tmp240613078.exe
2296	tmp240613093.exe
1384	notpad.exe
2908	tmp240613203.exe
1976	tmp240613218.exe
4836	notpad.exe
3752	tmp240613296.exe
4016	tmp240613312.exe
3460	notpad.exe
3292	tmp240613437.exe
3468	tmp240613453.exe
2216	notpad.exe
1020	tmp240613609.exe
2748	tmp240613625.exe
656	notpad.exe
2824	tmp240613718.exe
4416	tmp240613734.exe
336	notpad.exe
3012	tmp240613812.exe
812	tmp240613828.exe
880	notpad.exe
4032	tmp240613906.exe
2928	tmp240613921.exe
2360	notpad.exe
4100	tmp240614000.exe
2032	tmp240614015.exe
4036	notpad.exe
3352	tmp240614078.exe
4936	tmp240614093.exe
1620	notpad.exe
4488	tmp240614187.exe
3312	tmp240614203.exe
3760	notpad.exe
4580	tmp240614281.exe
4860	tmp240614296.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4920-0-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x00090000000233e0-8.dat	upx
behavioral2/files/0x000700000002342f-17.dat	upx
behavioral2/memory/1384-20-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3560-23-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000023432-47.dat	upx
behavioral2/memory/1384-50-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4920-53-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000023433-27.dat	upx
behavioral2/files/0x0008000000023436-59.dat	upx
behavioral2/memory/940-65-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3960-77-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3960-62-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/files/0x0007000000023437-83.dat	upx
behavioral2/memory/5024-85-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5024-106-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2016-122-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/456-150-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2552-172-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3352-194-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2624-197-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2624-207-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1132-239-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1384-256-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4836-272-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3460-274-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3460-289-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2216-305-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/656-321-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/336-337-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/880-353-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2360-369-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4036-385-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1620-401-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3760-417-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2732-433-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2784-449-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1648-465-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2016-481-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4272-497-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2508-498-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2508-514-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2292-530-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/5020-546-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1780-562-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/432-578-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/468-594-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4592-610-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2472-626-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2864-642-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4628-658-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/944-674-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3400-690-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3420-706-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4312-722-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/4372-738-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3712-754-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2296-770-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1484-786-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3752-802-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/1880-818-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/3836-834-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/8-848-0x0000000000400000-0x000000000041F000-memory.dmp	upx
behavioral2/memory/2872-866-0x0000000000400000-0x000000000041F000-memory.dmp	upx

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240615671.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240617250.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240618875.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240626500.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240630078.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240633812.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240635515.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240648031.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240648125.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240623359.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240638765.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240644656.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240645406.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240647312.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240612734.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240613437.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240613609.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240616968.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240618453.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240620593.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240622593.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240630750.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240640984.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240646640.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240613296.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240614843.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240614937.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240648031.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240613609.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240615578.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240615906.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240616140.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240622968.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240627125.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240628187.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240632796.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240637578.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240614937.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240619140.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240620593.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240620812.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240633218.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240633812.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240634062.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240636765.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240642218.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240642828.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240644015.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240614625.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240618781.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240640296.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240624468.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240633625.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240645406.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240617468.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240624750.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240628187.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240641187.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240643359.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240646453.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240649359.exe
File opened for modification	C:\Windows\SysWOW64\fsb.tmp	tmp240616140.exe
File created	C:\Windows\SysWOW64\notpad.exe-	tmp240618203.exe
File created	C:\Windows\SysWOW64\notpad.exe	tmp240620968.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240614765.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240643968.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240647218.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240618781.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240634078.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240648312.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240644218.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240649375.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240622765.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240633828.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240630375.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240640312.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240616156.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240633640.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240648531.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240614015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240614500.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240637265.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240648937.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240648156.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240649468.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240649484.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240646796.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240627578.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240648093.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240650000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240627125.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240644390.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240611890.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240617156.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240635359.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240635109.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240646953.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240612484.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240643921.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240612843.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240647843.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240638765.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240647531.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240618796.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240630078.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240614093.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notpad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240622968.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmp240622234.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notpad.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240622765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240634687.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240645406.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240613718.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240620593.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240644656.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240649843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240646281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240618781.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240619234.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240619890.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240621734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240619421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240644015.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240645500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240646078.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240646734.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240615765.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240620968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240626203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240632484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240615906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240622109.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240625343.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240644843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240613078.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240624281.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240640296.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240644468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240616671.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240626796.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240643359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240648125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240614843.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240615312.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240628515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240631875.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240636375.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240642078.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240649359.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240622421.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240625093.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240635093.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240636156.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240643921.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240645078.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240625453.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240629906.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240637406.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240647937.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240617140.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240624468.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240625250.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240635515.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240649968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240614484.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240630750.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240612562.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240635203.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240639500.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240644968.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240646640.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240614078.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "%SystemRoot%\\system32\\NOTPAD.EXE %1"	tmp240614281.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4920 wrote to memory of 4552	4920	d32f6c099f99453d88f9063bd4127feb_JaffaCakes118.exe	83
PID 4920 wrote to memory of 4552	4920	d32f6c099f99453d88f9063bd4127feb_JaffaCakes118.exe	83
PID 4920 wrote to memory of 4552	4920	d32f6c099f99453d88f9063bd4127feb_JaffaCakes118.exe	83
PID 4920 wrote to memory of 3560	4920	d32f6c099f99453d88f9063bd4127feb_JaffaCakes118.exe	84
PID 4920 wrote to memory of 3560	4920	d32f6c099f99453d88f9063bd4127feb_JaffaCakes118.exe	84
PID 4920 wrote to memory of 3560	4920	d32f6c099f99453d88f9063bd4127feb_JaffaCakes118.exe	84
PID 3560 wrote to memory of 5056	3560	tmp240611843.exe	86
PID 3560 wrote to memory of 5056	3560	tmp240611843.exe	86
PID 3560 wrote to memory of 5056	3560	tmp240611843.exe	86
PID 3560 wrote to memory of 1384	3560	tmp240611843.exe	87
PID 3560 wrote to memory of 1384	3560	tmp240611843.exe	87
PID 3560 wrote to memory of 1384	3560	tmp240611843.exe	87
PID 1384 wrote to memory of 2060	1384	tmp240611890.exe	88
PID 1384 wrote to memory of 2060	1384	tmp240611890.exe	88
PID 1384 wrote to memory of 2060	1384	tmp240611890.exe	88
PID 1384 wrote to memory of 940	1384	tmp240611890.exe	89
PID 1384 wrote to memory of 940	1384	tmp240611890.exe	89
PID 1384 wrote to memory of 940	1384	tmp240611890.exe	89
PID 940 wrote to memory of 3524	940	tmp240611953.exe	90
PID 940 wrote to memory of 3524	940	tmp240611953.exe	90
PID 940 wrote to memory of 3524	940	tmp240611953.exe	90
PID 940 wrote to memory of 3960	940	tmp240611953.exe	91
PID 940 wrote to memory of 3960	940	tmp240611953.exe	91
PID 940 wrote to memory of 3960	940	tmp240611953.exe	91
PID 3960 wrote to memory of 5088	3960	tmp240612031.exe	92
PID 3960 wrote to memory of 5088	3960	tmp240612031.exe	92
PID 3960 wrote to memory of 5088	3960	tmp240612031.exe	92
PID 3960 wrote to memory of 4472	3960	tmp240612031.exe	93
PID 3960 wrote to memory of 4472	3960	tmp240612031.exe	93
PID 3960 wrote to memory of 4472	3960	tmp240612031.exe	93
PID 4552 wrote to memory of 5024	4552	tmp240611828.exe	94
PID 4552 wrote to memory of 5024	4552	tmp240611828.exe	94
PID 4552 wrote to memory of 5024	4552	tmp240611828.exe	94
PID 5024 wrote to memory of 1020	5024	notpad.exe	95
PID 5024 wrote to memory of 1020	5024	notpad.exe	95
PID 5024 wrote to memory of 1020	5024	notpad.exe	95
PID 5024 wrote to memory of 960	5024	notpad.exe	96
PID 5024 wrote to memory of 960	5024	notpad.exe	96
PID 5024 wrote to memory of 960	5024	notpad.exe	96
PID 1020 wrote to memory of 2016	1020	tmp240612343.exe	98
PID 1020 wrote to memory of 2016	1020	tmp240612343.exe	98
PID 1020 wrote to memory of 2016	1020	tmp240612343.exe	98
PID 2016 wrote to memory of 4416	2016	notpad.exe	131
PID 2016 wrote to memory of 4416	2016	notpad.exe	131
PID 2016 wrote to memory of 4416	2016	notpad.exe	131
PID 2016 wrote to memory of 1588	2016	notpad.exe	100
PID 2016 wrote to memory of 1588	2016	notpad.exe	100
PID 2016 wrote to memory of 1588	2016	notpad.exe	100
PID 4416 wrote to memory of 456	4416	tmp240612468.exe	101
PID 4416 wrote to memory of 456	4416	tmp240612468.exe	101
PID 4416 wrote to memory of 456	4416	tmp240612468.exe	101
PID 456 wrote to memory of 8	456	notpad.exe	102
PID 456 wrote to memory of 8	456	notpad.exe	102
PID 456 wrote to memory of 8	456	notpad.exe	102
PID 456 wrote to memory of 2184	456	notpad.exe	103
PID 456 wrote to memory of 2184	456	notpad.exe	103
PID 456 wrote to memory of 2184	456	notpad.exe	103
PID 8 wrote to memory of 2552	8	tmp240612562.exe	105
PID 8 wrote to memory of 2552	8	tmp240612562.exe	105
PID 8 wrote to memory of 2552	8	tmp240612562.exe	105
PID 2552 wrote to memory of 5052	2552	notpad.exe	106
PID 2552 wrote to memory of 5052	2552	notpad.exe	106
PID 2552 wrote to memory of 5052	2552	notpad.exe	106
PID 2552 wrote to memory of 3604	2552	notpad.exe	170

C:\Users\Admin\AppData\Local\Temp\d32f6c099f99453d88f9063bd4127feb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d32f6c099f99453d88f9063bd4127feb_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4920
- C:\Users\Admin\AppData\Local\Temp\tmp240611828.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240611828.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\SysWOW64\notpad.exe
    "C:\Windows\system32\notpad.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Users\Admin\AppData\Local\Temp\tmp240612343.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240612343.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1020
    - - C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2016
      - C:\Users\Admin\AppData\Local\Temp\tmp240612468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612468.exe
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612562.exe
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:8
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612734.exe
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        11⤵
        Executes dropped EXE
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612843.exe
        12⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4508
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        13⤵
        Executes dropped EXE
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612953.exe
        14⤵
        Executes dropped EXE
        
        PID:3328
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        15⤵
        Executes dropped EXE
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613078.exe
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2036
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        17⤵
        Executes dropped EXE
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613203.exe
        18⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2908
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613296.exe
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3752
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613437.exe
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:3292
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        23⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613609.exe
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1020
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        25⤵
        Executes dropped EXE
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613718.exe
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        
        PID:2824
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        27⤵
        Executes dropped EXE
        
        PID:336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613812.exe
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:3012
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        29⤵
        Executes dropped EXE
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613906.exe
        30⤵
        Executes dropped EXE
        
        PID:4032
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        31⤵
        Executes dropped EXE
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614000.exe
        32⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4100
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        33⤵
        Executes dropped EXE
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614078.exe
        34⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:3352
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        35⤵
        Executes dropped EXE
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614187.exe
        36⤵
        Executes dropped EXE
        
        PID:4488
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        37⤵
        Executes dropped EXE
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614281.exe
        38⤵
        Executes dropped EXE
        Modifies registry class
        
        PID:4580
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        39⤵
        
        PID:2732
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614375.exe
        40⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        41⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614484.exe
        42⤵
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        43⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614625.exe
        44⤵
        Drops file in System32 directory
        
        PID:4916
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        45⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614750.exe
        46⤵
        
        PID:2192
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        47⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614843.exe
        48⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        49⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614937.exe
        50⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:3304
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615015.exe
        52⤵
        
        PID:3096
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        53⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615140.exe
        54⤵
        Checks computer location settings
        
        PID:972
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        55⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615234.exe
        56⤵
        Checks computer location settings
        
        PID:2248
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        57⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615312.exe
        58⤵
        Modifies registry class
        
        PID:4828
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        59⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615390.exe
        60⤵
        Checks computer location settings
        
        PID:3560
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        61⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615484.exe
        62⤵
        Checks computer location settings
        
        PID:2528
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        63⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615578.exe
        64⤵
        Drops file in System32 directory
        
        PID:4660
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        65⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615671.exe
        66⤵
        Drops file in System32 directory
        
        PID:2868
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        67⤵
        
        PID:4628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615765.exe
        68⤵
        Modifies registry class
        
        PID:2460
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        69⤵
        
        PID:944
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615906.exe
        70⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3252
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        71⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616031.exe
        72⤵
        
        PID:336
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        73⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616140.exe
        74⤵
        Drops file in System32 directory
        
        PID:1104
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        75⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616281.exe
        76⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        77⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616437.exe
        78⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        79⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616546.exe
        80⤵
        Checks computer location settings
        
        PID:3988
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        81⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616671.exe
        82⤵
        Modifies registry class
        
        PID:892
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        83⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616843.exe
        84⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        85⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616968.exe
        86⤵
        Drops file in System32 directory
        
        PID:4576
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        87⤵
        
        PID:1880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617140.exe
        88⤵
        Modifies registry class
        
        PID:3996
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617250.exe
        90⤵
        Drops file in System32 directory
        
        PID:1788
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        91⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617468.exe
        92⤵
        Drops file in System32 directory
        
        PID:1004
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        93⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617625.exe
        94⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        95⤵
        
        PID:4952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617796.exe
        96⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        97⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617968.exe
        98⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        99⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618062.exe
        100⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618203.exe
        102⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1792
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        103⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618453.exe
        104⤵
        Drops file in System32 directory
        
        PID:5056
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        105⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618781.exe
        106⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4964
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        107⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618875.exe
        108⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:924
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        109⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619140.exe
        110⤵
        Drops file in System32 directory
        
        PID:1608
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        111⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619234.exe
        112⤵
        Modifies registry class
        
        PID:4752
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        113⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619328.exe
        114⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        115⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619421.exe
        116⤵
        Checks computer location settings
        Modifies registry class
        
        PID:1032
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        117⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619671.exe
        118⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        119⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619890.exe
        120⤵
        Checks computer location settings
        Modifies registry class
        
        PID:864
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        121⤵
        
        PID:3284
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620046.exe
        122⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        123⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620218.exe
        124⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        125⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620421.exe
        126⤵
        Checks computer location settings
        
        PID:4424
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        127⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620593.exe
        128⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2784
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        129⤵
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620812.exe
        130⤵
        Drops file in System32 directory
        
        PID:4212
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        131⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620968.exe
        132⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1588
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        133⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621187.exe
        134⤵
        Checks computer location settings
        
        PID:1908
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        135⤵
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621328.exe
        136⤵
        Checks computer location settings
        
        PID:4892
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        137⤵
        
        PID:4624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621515.exe
        138⤵
        Checks computer location settings
        
        PID:4784
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        139⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621734.exe
        140⤵
        Modifies registry class
        
        PID:4036
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        141⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622109.exe
        142⤵
        Modifies registry class
        
        PID:4320
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        143⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622234.exe
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:2548
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        145⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622421.exe
        146⤵
        Modifies registry class
        
        PID:468
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        147⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622593.exe
        148⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2612
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        149⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622765.exe
        150⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2628
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        151⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622968.exe
        152⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        153⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623140.exe
        154⤵
        Checks computer location settings
        
        PID:2780
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        155⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623359.exe
        156⤵
        Drops file in System32 directory
        
        PID:752
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623484.exe
        158⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623687.exe
        160⤵
        Checks computer location settings
        
        PID:2520
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623843.exe
        162⤵
        Checks computer location settings
        
        PID:3120
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        163⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624031.exe
        164⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        165⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624281.exe
        166⤵
        Checks computer location settings
        Modifies registry class
        
        PID:3316
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        167⤵
        
        PID:3160
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624468.exe
        168⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:5036
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624562.exe
        170⤵
        Checks computer location settings
        
        PID:4016
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624750.exe
        172⤵
        Drops file in System32 directory
        
        PID:3752
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        173⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625093.exe
        174⤵
        Modifies registry class
        
        PID:1580
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        175⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625250.exe
        176⤵
        Modifies registry class
        
        PID:1788
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        177⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625343.exe
        178⤵
        Modifies registry class
        
        PID:2516
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        179⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625453.exe
        180⤵
        Modifies registry class
        
        PID:1652
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        181⤵
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625656.exe
        182⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        183⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625781.exe
        184⤵
        Checks computer location settings
        
        PID:1060
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        185⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625968.exe
        186⤵
        
        PID:740
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        187⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626203.exe
        188⤵
        Modifies registry class
        
        PID:3208
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        189⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626500.exe
        190⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:2924
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        191⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626640.exe
        192⤵
        Checks computer location settings
        
        PID:4608
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        193⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626796.exe
        194⤵
        Modifies registry class
        
        PID:1092
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        195⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627125.exe
        196⤵
        Checks computer location settings
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:748
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        197⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627328.exe
        198⤵
        Checks computer location settings
        
        PID:5052
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        199⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627468.exe
        200⤵
        Checks computer location settings
        
        PID:836
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        201⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627562.exe
        202⤵
        
        PID:1236
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        203⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627734.exe
        204⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        205⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627984.exe
        206⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        207⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628187.exe
        208⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4668
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        209⤵
        
        PID:4888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628343.exe
        210⤵
        Checks computer location settings
        
        PID:408
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        211⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628515.exe
        212⤵
        Modifies registry class
        
        PID:3760
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        213⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628781.exe
        214⤵
        
        PID:656
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        215⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628937.exe
        216⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        217⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629187.exe
        218⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        219⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629375.exe
        220⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        221⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629609.exe
        222⤵
        Checks computer location settings
        
        PID:2032
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        223⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629906.exe
        224⤵
        Modifies registry class
        
        PID:3928
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        225⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630078.exe
        226⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3160
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        227⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630359.exe
        228⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        229⤵
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630562.exe
        230⤵
        
        PID:380
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        231⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630750.exe
        232⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        233⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630921.exe
        234⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        235⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631093.exe
        236⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        237⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631296.exe
        238⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        239⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631390.exe
        240⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        241⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631500.exe
        242⤵
        
        PID:864
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        243⤵
        System Location Discovery: System Language Discovery
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631671.exe
        244⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        245⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631875.exe
        246⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4660
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        247⤵
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632000.exe
        248⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        249⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632156.exe
        250⤵
        
        PID:208
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        251⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632296.exe
        252⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        253⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632484.exe
        254⤵
        Modifies registry class
        
        PID:564
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        255⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632625.exe
        256⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        257⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632796.exe
        258⤵
        Drops file in System32 directory
        
        PID:3688
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        259⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633031.exe
        260⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        261⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633218.exe
        262⤵
        Drops file in System32 directory
        
        PID:2364
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        263⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633359.exe
        264⤵
        
        PID:2452
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        265⤵
        
        PID:3172
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633625.exe
        266⤵
        Drops file in System32 directory
        
        PID:4884
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        267⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633812.exe
        268⤵
        Drops file in System32 directory
        
        PID:2192
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        269⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633906.exe
        270⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        271⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634062.exe
        272⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4496
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        273⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634250.exe
        274⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        275⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634375.exe
        276⤵
        Checks computer location settings
        
        PID:4328
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        277⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634515.exe
        278⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        279⤵
        
        PID:4880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634687.exe
        280⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4860
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        281⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634875.exe
        282⤵
        
        PID:2124
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        283⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634953.exe
        284⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        285⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635093.exe
        286⤵
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        287⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635203.exe
        288⤵
        Modifies registry class
        
        PID:1464
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        289⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635359.exe
        290⤵
        System Location Discovery: System Language Discovery
        
        PID:5096
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        291⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635515.exe
        292⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3400
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        293⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635921.exe
        294⤵
        
        PID:5060
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        295⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636156.exe
        296⤵
        Modifies registry class
        
        PID:4396
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        297⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636375.exe
        298⤵
        Modifies registry class
        
        PID:1620
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        299⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636546.exe
        300⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        301⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636765.exe
        302⤵
        Drops file in System32 directory
        
        PID:2020
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        303⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637031.exe
        304⤵
        Checks computer location settings
        
        PID:4204
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        305⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637250.exe
        306⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        307⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637406.exe
        308⤵
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        309⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637578.exe
        310⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:4680
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        311⤵
        
        PID:4032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637750.exe
        312⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        313⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637921.exe
        314⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        315⤵
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638109.exe
        316⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        317⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638312.exe
        318⤵
        
        PID:1852
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        319⤵
        
        PID:4488
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638593.exe
        320⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        321⤵
        
        PID:4364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638765.exe
        322⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4848
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        323⤵
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638921.exe
        324⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        325⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639125.exe
        326⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        327⤵
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639359.exe
        328⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        329⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639500.exe
        330⤵
        Modifies registry class
        
        PID:5040
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        331⤵
        
        PID:4280
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639640.exe
        332⤵
        
        PID:4340
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        333⤵
        System Location Discovery: System Language Discovery
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639984.exe
        334⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        335⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640296.exe
        336⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:3840
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        337⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640515.exe
        338⤵
        Checks computer location settings
        
        PID:2152
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        339⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640984.exe
        340⤵
        Drops file in System32 directory
        
        PID:3344
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        341⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641187.exe
        342⤵
        Drops file in System32 directory
        
        PID:2404
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        343⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641406.exe
        344⤵
        
        PID:3316
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        345⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641578.exe
        346⤵
        
        PID:4552
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        347⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641734.exe
        348⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        349⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641843.exe
        350⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        351⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642078.exe
        352⤵
        Modifies registry class
        
        PID:5048
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        353⤵
        
        PID:2292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642218.exe
        354⤵
        Drops file in System32 directory
        
        PID:3268
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        355⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642421.exe
        356⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        357⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642671.exe
        358⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        359⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642828.exe
        360⤵
        Drops file in System32 directory
        
        PID:4580
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        361⤵
        System Location Discovery: System Language Discovery
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643015.exe
        362⤵
        
        PID:1060
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        363⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643359.exe
        364⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:2932
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        365⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643531.exe
        366⤵
        
        PID:1464
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        367⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643656.exe
        368⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        369⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643781.exe
        370⤵
        Checks computer location settings
        
        PID:2060
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        371⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643921.exe
        372⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1240
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        373⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644015.exe
        374⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4832
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        375⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644203.exe
        376⤵
        
        PID:740
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        377⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644359.exe
        378⤵
        Checks computer location settings
        
        PID:3524
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        379⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644468.exe
        380⤵
        Modifies registry class
        
        PID:2868
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        381⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644656.exe
        382⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:748
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        383⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644843.exe
        384⤵
        Modifies registry class
        
        PID:4272
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        385⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644968.exe
        386⤵
        Modifies registry class
        
        PID:4404
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        387⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645078.exe
        388⤵
        Modifies registry class
        
        PID:2124
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        389⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645218.exe
        390⤵
        Checks computer location settings
        
        PID:4536
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        391⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645312.exe
        392⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        393⤵
        
        PID:1448
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645406.exe
        394⤵
        Drops file in System32 directory
        Modifies registry class
        
        PID:1020
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        395⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645500.exe
        396⤵
        Modifies registry class
        
        PID:5052
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        397⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645593.exe
        398⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        399⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645781.exe
        400⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        401⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645859.exe
        402⤵
        
        PID:224
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        403⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645984.exe
        404⤵
        Checks computer location settings
        
        PID:3152
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        405⤵
        
        PID:1812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646078.exe
        406⤵
        Modifies registry class
        
        PID:380
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        407⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646281.exe
        408⤵
        Modifies registry class
        
        PID:3412
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        409⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646453.exe
        410⤵
        Drops file in System32 directory
        
        PID:4396
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        411⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646546.exe
        412⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        413⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646640.exe
        414⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1320
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        415⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646734.exe
        416⤵
        Modifies registry class
        
        PID:2296
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        417⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646828.exe
        418⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        419⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646953.exe
        420⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4576
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        421⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647093.exe
        422⤵
        
        PID:3544
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        423⤵
        
        PID:3324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647203.exe
        424⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        425⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647312.exe
        426⤵
        Drops file in System32 directory
        
        PID:4760
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        427⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647484.exe
        428⤵
        
        PID:432
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        429⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647640.exe
        430⤵
        Checks computer location settings
        
        PID:2388
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        431⤵
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647828.exe
        432⤵
        Checks computer location settings
        
        PID:1112
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        433⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647937.exe
        434⤵
        Checks computer location settings
        Modifies registry class
        
        PID:4864
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        435⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648031.exe
        436⤵
        Checks computer location settings
        Drops file in System32 directory
        
        PID:1580
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        437⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648125.exe
        438⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:4116
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        439⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648265.exe
        440⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        441⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648359.exe
        442⤵
        Checks computer location settings
        
        PID:3228
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        443⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648484.exe
        444⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        445⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648656.exe
        446⤵
        
        PID:2512
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        447⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648890.exe
        448⤵
        Checks computer location settings
        
        PID:1812
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        449⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649109.exe
        450⤵
        
        PID:3412
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        451⤵
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649250.exe
        452⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        453⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649359.exe
        454⤵
        Checks computer location settings
        Drops file in System32 directory
        Modifies registry class
        
        PID:1236
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        455⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649453.exe
        456⤵
        Checks computer location settings
        
        PID:3688
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        457⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649562.exe
        458⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        459⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649734.exe
        460⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        461⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649843.exe
        462⤵
        Modifies registry class
        
        PID:2660
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        463⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649968.exe
        464⤵
        Modifies registry class
        
        PID:408
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        465⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650062.exe
        466⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        467⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650187.exe
        468⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        469⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650312.exe
        470⤵
        
        PID:4364
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        471⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650406.exe
        472⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        473⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650531.exe
        474⤵
        
        PID:4916
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        475⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650687.exe
        476⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        477⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650828.exe
        478⤵
        
        PID:1396
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        479⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650953.exe
        480⤵
        
        PID:220
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        481⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651093.exe
        482⤵
        
        PID:3984
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        483⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651218.exe
        484⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651265.exe
        484⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651296.exe
        485⤵
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651312.exe
        485⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651375.exe
        486⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651390.exe
        486⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651109.exe
        482⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651156.exe
        483⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651171.exe
        483⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651203.exe
        484⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        485⤵
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651328.exe
        486⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        487⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651515.exe
        488⤵
        
        PID:3888
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        489⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651671.exe
        490⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651843.exe
        490⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651875.exe
        491⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        492⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651984.exe
        493⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        494⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652125.exe
        495⤵
        
        PID:2892
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        496⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652265.exe
        497⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652421.exe
        497⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652468.exe
        498⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652484.exe
        498⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652500.exe
        499⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652671.exe
        499⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652140.exe
        495⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652234.exe
        496⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        497⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652343.exe
        498⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        499⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652437.exe
        500⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        501⤵
        
        PID:4912
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652562.exe
        502⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        503⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652781.exe
        504⤵
        
        PID:3288
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652812.exe
        504⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652875.exe
        505⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652890.exe
        505⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652906.exe
        506⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652921.exe
        506⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652625.exe
        502⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652796.exe
        503⤵
        
        PID:3152
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652937.exe
        503⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652531.exe
        500⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652703.exe
        501⤵
        
        PID:4252
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        502⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652843.exe
        503⤵
        
        PID:3920
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        504⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652953.exe
        503⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652984.exe
        504⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        505⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653109.exe
        506⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        507⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653281.exe
        508⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        509⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653390.exe
        510⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653406.exe
        510⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653515.exe
        511⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        512⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653640.exe
        513⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        514⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653843.exe
        515⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653859.exe
        515⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653890.exe
        516⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653906.exe
        516⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653921.exe
        517⤵
        
        PID:1724
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        518⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654093.exe
        519⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654125.exe
        519⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654187.exe
        520⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654218.exe
        520⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653953.exe
        517⤵
        
        PID:5060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654265.exe
        518⤵
        
        PID:4516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654312.exe
        518⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653656.exe
        513⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653671.exe
        514⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653687.exe
        514⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653718.exe
        515⤵
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653734.exe
        515⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653750.exe
        516⤵
        
        PID:1324
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        517⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653937.exe
        518⤵
        
        PID:2500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653968.exe
        518⤵
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654000.exe
        519⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654015.exe
        519⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654046.exe
        520⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        521⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654171.exe
        522⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        523⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654281.exe
        524⤵
        
        PID:2268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654328.exe
        524⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654359.exe
        522⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654062.exe
        520⤵
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654156.exe
        521⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240654203.exe
        521⤵
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653812.exe
        516⤵
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653531.exe
        511⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653546.exe
        512⤵
        
        PID:1784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653578.exe
        512⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653312.exe
        508⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653375.exe
        509⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        510⤵
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653421.exe
        509⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653437.exe
        510⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653468.exe
        510⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653156.exe
        506⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653187.exe
        507⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653234.exe
        507⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653296.exe
        508⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653343.exe
        508⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653000.exe
        504⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653031.exe
        505⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653046.exe
        505⤵
        
        PID:1044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653093.exe
        501⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653218.exe
        502⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653250.exe
        502⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652406.exe
        498⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652453.exe
        499⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652718.exe
        499⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652734.exe
        500⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240653015.exe
        500⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652312.exe
        496⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652593.exe
        497⤵
        
        PID:3400
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652609.exe
        497⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652015.exe
        493⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652031.exe
        494⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652156.exe
        494⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652171.exe
        495⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652578.exe
        495⤵
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651921.exe
        491⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652046.exe
        492⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652296.exe
        492⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651531.exe
        488⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651546.exe
        489⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651578.exe
        489⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651343.exe
        486⤵
        
        PID:3640
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651421.exe
        487⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        488⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651625.exe
        489⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        490⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651718.exe
        491⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\notpad.exe
        
        "C:\Windows\system32\notpad.exe"
        492⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651875.exe
        493⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651906.exe
        493⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652062.exe
        494⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652078.exe
        494⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652093.exe
        495⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652109.exe
        495⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651734.exe
        491⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651750.exe
        492⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651828.exe
        492⤵
        
        PID:3096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651890.exe
        493⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240652187.exe
        493⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651640.exe
        489⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651687.exe
        490⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651703.exe
        490⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651765.exe
        491⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651781.exe
        491⤵
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651437.exe
        487⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651453.exe
        488⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651484.exe
        488⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651234.exe
        484⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650968.exe
        480⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651000.exe
        481⤵
        
        PID:3344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651015.exe
        481⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651046.exe
        482⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240651078.exe
        482⤵
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650843.exe
        478⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650859.exe
        479⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650890.exe
        479⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650906.exe
        480⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650937.exe
        480⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650703.exe
        476⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650734.exe
        477⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650750.exe
        477⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650781.exe
        478⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650796.exe
        478⤵
        
        PID:1652
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650546.exe
        474⤵
        
        PID:4212
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650578.exe
        475⤵
        
        PID:780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650593.exe
        475⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650421.exe
        472⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650437.exe
        473⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650453.exe
        473⤵
        
        PID:3292
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650328.exe
        470⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650359.exe
        471⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650375.exe
        471⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650203.exe
        468⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650218.exe
        469⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650234.exe
        469⤵
        
        PID:4480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650078.exe
        466⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650093.exe
        467⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650109.exe
        467⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649984.exe
        464⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650000.exe
        465⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240650015.exe
        465⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649859.exe
        462⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649875.exe
        463⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649890.exe
        463⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649750.exe
        460⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649781.exe
        461⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649796.exe
        461⤵
        
        PID:4752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649593.exe
        458⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649609.exe
        459⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649625.exe
        459⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649468.exe
        456⤵
        System Location Discovery: System Language Discovery
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649484.exe
        457⤵
        System Location Discovery: System Language Discovery
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649515.exe
        457⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649375.exe
        454⤵
        System Location Discovery: System Language Discovery
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649406.exe
        455⤵
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649421.exe
        455⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649265.exe
        452⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649281.exe
        453⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649296.exe
        453⤵
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649140.exe
        450⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649156.exe
        451⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240649187.exe
        451⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648906.exe
        448⤵
        
        PID:736
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648937.exe
        449⤵
        System Location Discovery: System Language Discovery
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648953.exe
        449⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648671.exe
        446⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648750.exe
        447⤵
        
        PID:4916
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648765.exe
        447⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648500.exe
        444⤵
        
        PID:892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648531.exe
        445⤵
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648546.exe
        445⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648375.exe
        442⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648390.exe
        443⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648406.exe
        443⤵
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648281.exe
        440⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648296.exe
        441⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648312.exe
        441⤵
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648140.exe
        438⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648156.exe
        439⤵
        System Location Discovery: System Language Discovery
        
        PID:784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648187.exe
        439⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648046.exe
        436⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648078.exe
        437⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648093.exe
        437⤵
        System Location Discovery: System Language Discovery
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647953.exe
        434⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647984.exe
        435⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240648000.exe
        435⤵
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647843.exe
        432⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647859.exe
        433⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647875.exe
        433⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647671.exe
        430⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647703.exe
        431⤵
        
        PID:4588
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647718.exe
        431⤵
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647531.exe
        428⤵
        System Location Discovery: System Language Discovery
        
        PID:4836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647562.exe
        429⤵
        
        PID:1744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647578.exe
        429⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647343.exe
        426⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647359.exe
        427⤵
        
        PID:1240
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647375.exe
        427⤵
        
        PID:1236
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647218.exe
        424⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647234.exe
        425⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647265.exe
        425⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647109.exe
        422⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647125.exe
        423⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647140.exe
        423⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646968.exe
        420⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646984.exe
        421⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240647000.exe
        421⤵
        
        PID:4252
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646843.exe
        418⤵
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646875.exe
        419⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646890.exe
        419⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646750.exe
        416⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646781.exe
        417⤵
        
        PID:3548
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646796.exe
        417⤵
        System Location Discovery: System Language Discovery
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646656.exe
        414⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646671.exe
        415⤵
        
        PID:1672
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646687.exe
        415⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646562.exe
        412⤵
        
        PID:1384
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646578.exe
        413⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646593.exe
        413⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646468.exe
        410⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646500.exe
        411⤵
        
        PID:220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646515.exe
        411⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646296.exe
        408⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646312.exe
        409⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646328.exe
        409⤵
        
        PID:3660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646093.exe
        406⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646109.exe
        407⤵
        
        PID:2872
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646125.exe
        407⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646000.exe
        404⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646031.exe
        405⤵
        
        PID:3552
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240646046.exe
        405⤵
        
        PID:1484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645875.exe
        402⤵
        
        PID:5016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645906.exe
        403⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645921.exe
        403⤵
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645796.exe
        400⤵
        
        PID:5020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645812.exe
        401⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645843.exe
        401⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645625.exe
        398⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645640.exe
        399⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645671.exe
        399⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645515.exe
        396⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645531.exe
        397⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645562.exe
        397⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645421.exe
        394⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645437.exe
        395⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645453.exe
        395⤵
        
        PID:3296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645328.exe
        392⤵
        
        PID:4072
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645359.exe
        393⤵
        
        PID:4772
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645375.exe
        393⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645234.exe
        390⤵
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645265.exe
        391⤵
        
        PID:3752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645281.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645281.exe
        391⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645093.exe
        388⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645125.exe
        389⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645140.exe
        389⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644984.exe
        386⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645015.exe
        387⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240645031.exe
        387⤵
        
        PID:976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644875.exe
        384⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644906.exe
        385⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644921.exe
        385⤵
        
        PID:2516
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644687.exe
        382⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644718.exe
        383⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644734.exe
        383⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644484.exe
        380⤵
        
        PID:3760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644500.exe
        381⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644515.exe
        381⤵
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644375.exe
        378⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644390.exe
        379⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644406.exe
        379⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644218.exe
        376⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644234.exe
        377⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644250.exe
        377⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644031.exe
        374⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644062.exe
        375⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240644078.exe
        375⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643937.exe
        372⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643953.exe
        373⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643968.exe
        373⤵
        System Location Discovery: System Language Discovery
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643796.exe
        370⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643828.exe
        371⤵
        
        PID:4328
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643843.exe
        371⤵
        
        PID:3268
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643671.exe
        368⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643703.exe
        369⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643718.exe
        369⤵
        
        PID:3412
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643546.exe
        366⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643562.exe
        367⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643593.exe
        367⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643375.exe
        364⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643390.exe
        365⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643406.exe
        365⤵
        
        PID:4884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240643031.exe
        362⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642843.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642843.exe
        360⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642687.exe
        358⤵
        
        PID:4036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642453.exe
        356⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642250.exe
        354⤵
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240642093.exe
        352⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641859.exe
        350⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641750.exe
        348⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641625.exe
        346⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641421.exe
        344⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641218.exe
        342⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641000.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240641000.exe
        340⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640531.exe
        338⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640312.exe
        336⤵
        System Location Discovery: System Language Discovery
        
        PID:4344
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240640046.exe
        334⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639687.exe
        332⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639515.exe
        330⤵
        
        PID:3492
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639375.exe
        328⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639140.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240639140.exe
        326⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638937.exe
        324⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638781.exe
        322⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638609.exe
        320⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638359.exe
        318⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240638125.exe
        316⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637937.exe
        314⤵
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637765.exe
        312⤵
        
        PID:2812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637593.exe
        310⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637421.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637421.exe
        308⤵
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637265.exe
        306⤵
        System Location Discovery: System Language Discovery
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240637046.exe
        304⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636781.exe
        302⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636562.exe
        300⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636390.exe
        298⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636187.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240636187.exe
        296⤵
        
        PID:5076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635984.exe
        294⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635531.exe
        292⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635375.exe
        290⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635218.exe
        288⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240635109.exe
        286⤵
        System Location Discovery: System Language Discovery
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634968.exe
        284⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634890.exe
        282⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634718.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634718.exe
        280⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634531.exe
        278⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634390.exe
        276⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634265.exe
        274⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240634078.exe
        272⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633921.exe
        270⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633828.exe
        268⤵
        System Location Discovery: System Language Discovery
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633640.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633640.exe
        266⤵
        System Location Discovery: System Language Discovery
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633375.exe
        264⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633234.exe
        262⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240633046.exe
        260⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632828.exe
        258⤵
        
        PID:4740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632656.exe
        256⤵
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632500.exe
        254⤵
        
        PID:4100
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632312.exe
        252⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632171.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632171.exe
        250⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240632015.exe
        248⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631890.exe
        246⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631687.exe
        244⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631515.exe
        242⤵
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631406.exe
        240⤵
        
        PID:4580
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631312.exe
        238⤵
        
        PID:4688
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240631125.exe
        236⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630937.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630937.exe
        234⤵
        
        PID:564
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630781.exe
        232⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630593.exe
        230⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630375.exe
        228⤵
        System Location Discovery: System Language Discovery
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240630093.exe
        226⤵
        
        PID:2036
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629921.exe
        224⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629625.exe
        222⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629390.exe
        220⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240629218.exe
        218⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628968.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628968.exe
        216⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628796.exe
        214⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628546.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628546.exe
        212⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628359.exe
        210⤵
        
        PID:380
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628203.exe
        208⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240628031.exe
        206⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627781.exe
        204⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627578.exe
        202⤵
        System Location Discovery: System Language Discovery
        
        PID:3120
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627484.exe
        200⤵
        
        PID:4360
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627359.exe
        198⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240627156.exe
        196⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626812.exe
        194⤵
        
        PID:656
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626656.exe
        192⤵
        
        PID:208
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626515.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626515.exe
        190⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240626218.exe
        188⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625984.exe
        186⤵
        
        PID:3560
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625796.exe
        184⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625671.exe
        182⤵
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625468.exe
        180⤵
        
        PID:4760
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625359.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625359.exe
        178⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625265.exe
        176⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625109.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240625109.exe
        174⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624796.exe
        172⤵
        
        PID:924
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624578.exe
        170⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624484.exe
        168⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624296.exe
        166⤵
        
        PID:4140
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624046.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240624046.exe
        164⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623859.exe
        162⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623703.exe
        160⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623500.exe
        158⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623375.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623375.exe
        156⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240623156.exe
        154⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622984.exe
        152⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622781.exe
        150⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622609.exe
        148⤵
        
        PID:4592
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622437.exe
        146⤵
        
        PID:3740
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622250.exe
        144⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622125.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240622125.exe
        142⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621750.exe
        140⤵
        
        PID:4116
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621531.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621531.exe
        138⤵
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621343.exe
        136⤵
        
        PID:1324
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240621203.exe
        134⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620984.exe
        132⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620828.exe
        130⤵
        
        PID:4576
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620609.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620609.exe
        128⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620453.exe
        126⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620234.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620234.exe
        124⤵
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240620062.exe
        122⤵
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619906.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619906.exe
        120⤵
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619703.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619703.exe
        118⤵
        
        PID:3840
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619437.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619437.exe
        116⤵
        
        PID:348
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619343.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619343.exe
        114⤵
        
        PID:8
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619250.exe
        112⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240619156.exe
        110⤵
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618890.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618890.exe
        108⤵
        
        PID:3984
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618796.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618796.exe
        106⤵
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618468.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618468.exe
        104⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618218.exe
        102⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240618078.exe
        100⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617984.exe
        98⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617812.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617812.exe
        96⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617656.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617656.exe
        94⤵
        
        PID:3452
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617484.exe
        92⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617265.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617265.exe
        90⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240617156.exe
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616984.exe
        86⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616875.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616875.exe
        84⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616687.exe
        82⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616562.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616562.exe
        80⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616453.exe
        78⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616296.exe
        76⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616156.exe
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240616062.exe
        72⤵
        
        PID:2188
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615921.exe
        70⤵
        
        PID:4272
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615781.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615781.exe
        68⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615687.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615687.exe
        66⤵
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615593.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615593.exe
        64⤵
        
        PID:2796
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615500.exe
        62⤵
        
        PID:3076
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615406.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615406.exe
        60⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615328.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615328.exe
        58⤵
        
        PID:4968
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615250.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615250.exe
        56⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615156.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615156.exe
        54⤵
        
        PID:5064
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240615031.exe
        52⤵
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614953.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614953.exe
        50⤵
        
        PID:1684
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614859.exe
        48⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614765.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614765.exe
        46⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614671.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614671.exe
        44⤵
        
        PID:3884
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614500.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614500.exe
        42⤵
        System Location Discovery: System Language Discovery
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614390.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614390.exe
        40⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614296.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614296.exe
        38⤵
        Executes dropped EXE
        
        PID:4860
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614203.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614203.exe
        36⤵
        Executes dropped EXE
        
        PID:3312
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614093.exe
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240614015.exe
        32⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613921.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613921.exe
        30⤵
        Executes dropped EXE
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613828.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613828.exe
        28⤵
        Executes dropped EXE
        
        PID:812
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613734.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613734.exe
        26⤵
        Executes dropped EXE
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613625.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613625.exe
        24⤵
        Executes dropped EXE
        
        PID:2748
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613453.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613453.exe
        22⤵
        Executes dropped EXE
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613312.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613312.exe
        20⤵
        Executes dropped EXE
        
        PID:4016
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613218.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613218.exe
        18⤵
        Executes dropped EXE
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613093.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240613093.exe
        16⤵
        Executes dropped EXE
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612984.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612984.exe
        14⤵
        Executes dropped EXE
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612859.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612859.exe
        12⤵
        Executes dropped EXE
        
        PID:4404
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612750.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612750.exe
        10⤵
        Executes dropped EXE
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612578.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612578.exe
        8⤵
        Executes dropped EXE
        
        PID:2184
      - C:\Users\Admin\AppData\Local\Temp\tmp240612484.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612484.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1588
  - - C:\Users\Admin\AppData\Local\Temp\tmp240612359.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240612359.exe
      4⤵
      Executes dropped EXE
      PID:960
- C:\Users\Admin\AppData\Local\Temp\tmp240611843.exe
  C:\Users\Admin\AppData\Local\Temp\tmp240611843.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Users\Admin\AppData\Local\Temp\tmp240611875.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240611875.exe
    3⤵
    - Executes dropped EXE
    PID:5056
- - C:\Users\Admin\AppData\Local\Temp\tmp240611890.exe
    C:\Users\Admin\AppData\Local\Temp\tmp240611890.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1384
  - - C:\Users\Admin\AppData\Local\Temp\tmp240611937.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240611937.exe
      4⤵
      Executes dropped EXE
      PID:2060
  - - C:\Users\Admin\AppData\Local\Temp\tmp240611953.exe
      C:\Users\Admin\AppData\Local\Temp\tmp240611953.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:940
    - - C:\Users\Admin\AppData\Local\Temp\tmp240612015.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612015.exe
        5⤵
        Executes dropped EXE
        
        PID:3524
    - - C:\Users\Admin\AppData\Local\Temp\tmp240612031.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612031.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3960
      - C:\Users\Admin\AppData\Local\Temp\tmp240612062.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612062.exe
        6⤵
        Executes dropped EXE
        
        PID:5088
      - C:\Users\Admin\AppData\Local\Temp\tmp240612078.exe
        
        C:\Users\Admin\AppData\Local\Temp\tmp240612078.exe
        6⤵
        Executes dropped EXE
        
        PID:4472

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:3668

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:4828

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv xnZbMlU3gEW70LuFTd63iw.0.2
1⤵
PID:4660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp240611828.exe

Filesize
123KB

MD5
d58fe1e8fe18394e0995986429b2ca3b

SHA1
f73633b5b0b6c1224810f8472d16824cdeb132bc

SHA256
70fbc4f3e0a397e371637013d3ae26c3a7a806abc97d0ad4267d2d74400e8da4

SHA512
f2ae129f534bffa370e917c093b37ae993e1448e434dd283f09bbea896dab6c140bea37486a8cb93f3bf02eb1e987bfc9694fa52a85b5f74b07ada4b129d2634

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240611843.exe

Filesize
604KB

MD5
5929b9c23f95836c6149366e454ac3fe

SHA1
4e0ad0d87f71e29b47c351890c9509ff0a319939

SHA256
35cb4e3e6e11540bdce92a1d580460fbdf152c7eec4b2bab0990d3c2bf4ea039

SHA512
7ad7e0d568b8add6c3a2f52eac8a348282b9704f10a129e7aa6f4ca479bd01d20744012e8f26cbd230df3e2af1533ef016e72aec7101afde003e0e05350789bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240611890.exe

Filesize
470KB

MD5
445e69fdab59983dd16d8b6a883250fd

SHA1
60868b848296c467aa8963263ca7d85e3786e57e

SHA256
aadd8c840d64d9dffb1af59bdbbfecd6fb5e8b68eb7070b2ac1cb2c33f01898d

SHA512
14d99b4f1c55326861b64d63259cd62fb6a12ce49dfc1cc48c181645334812db95615fdfd5632f5049bed975b9eaf2403005389c492e6b747408c3e31f33a904

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240611953.exe

Filesize
335KB

MD5
5a9c79aa36b764c745b177eca44ffc38

SHA1
698fc30a496cdb13d820e82ef2eded5b31fc4d39

SHA256
6331de09ae2ca9deef3b73c30c797220defce425fb89c3109a9d7ce7704c18d1

SHA512
6939ac545d3675c15d42cad54675d9c986891ab026aac9ef5e7167d3e509fe4ad895a417e5c3c05613eed6ccd1bf19ebbff0fe710ae2e73eb912b421065ca845

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240612031.exe

Filesize
201KB

MD5
2280cf04f6dc9d3f8edf4d91ae30c52b

SHA1
964329c715430e8a670dc959de2db0d09616c0cb

SHA256
e025ea0d8b3b4aebad30d407d8e2b34cbf8d65e3eb26fe31db0a81ebfcf8f5c5

SHA512
1c0244e0d3b6619417136056cb0ec4f972649251f8105595a3aeebdcfc4a9784a83c710b4cf56fd81e8f3cde2b4e25eea6e1fd745ab936b24adfd92086de412b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240612078.exe

Filesize
67KB

MD5
5e28284f9b5f9097640d58a73d38ad4c

SHA1
7a90f8b051bc82cc9cadbcc9ba345ced02891a6c

SHA256
865f34fe7ba81e9622ddbdfc511547d190367bbf3dad21ceb6da3eec621044f5

SHA512
cb7218cfea8813ae8c7acf6f7511aecbeb9d697986e0eb8538065bf9e3e9c6ced9c29270eb677f5acf08d2e94b21018d8c4a376aa646fa73ce831fc87d448934

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp240612359.exe

Filesize
162KB

MD5
e92d3a824a0578a50d2dd81b5060145f

SHA1
50ef7c645fd5cbb95d50fbaddf6213800f9296ec

SHA256
87f53bc444c05230ce439dbb127c03f2e374067d6fb08e91c834371fd9ecf661

SHA512
40d0ac6fa5a424b099923fcdb465e9a2f44569af1c75cf05323315a8720517316a7e8627be248cff3a83382fb6db1cf026161f627a39bc1908e63f67a34c0fd5

Download Submit
C:\Windows\SysWOW64\notpad.exe

Filesize
296KB

MD5
64dc26441d16d0d2c9761c08a1f5fa60

SHA1
2fdeb240241d4e0e131fa1de34173c3d8eb6360e

SHA256
5e86a3a641752af6f89a7ec7add17e347818720aa9051e334eb37ad6ad2bba4e

SHA512
cc662645a655f4e1ee7ff556bf5363377b2789b5f0552f4208906a43970d384c5faa9cc6065b1ca65d753672cbdf06076424146bc630b6f747b1058b648d6942

Download Submit
C:\fsb.stb

Filesize
10KB

MD5
280b12e4717c3a7cf2c39561b30bc9e6

SHA1
8bf777a28c25793357ce8305bf8b01987bc4d9f2

SHA256
f6ab4ba25b6075aa5a76d006c434e64cad37fdb2ff242c848c98fad5167a1bfc

SHA512
861560b01b9b02fcb80c4e233617d72684c7669e1bce3a234b0fafce733735619e6532fb065ed2d1a4c1249635dca7c75561daaaf92460fad3b8771bb20883b7

Download Submit
memory/8-152-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/8-848-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/336-337-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/432-578-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/432-1108-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/456-150-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/468-594-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/656-321-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/780-1348-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/812-1380-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/880-1044-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/880-353-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/940-65-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/944-674-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/972-547-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1020-306-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1020-108-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1044-434-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/1132-239-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1236-1412-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1384-256-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1384-20-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1384-50-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1484-786-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1564-931-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1564-947-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1620-1252-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1620-401-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1628-1300-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1648-465-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1744-1236-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1780-562-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1792-1284-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1812-1316-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1840-1188-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1880-818-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1888-1156-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1976-1124-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2016-481-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2016-122-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2036-241-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2060-43-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2192-482-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2216-305-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2248-563-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2292-530-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2296-770-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2360-369-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2472-626-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2508-514-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2508-498-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2552-1204-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2552-172-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2624-207-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2624-197-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2732-433-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2784-449-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2824-322-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/2864-642-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2872-866-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2888-1140-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2908-258-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3012-338-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3096-531-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3220-1028-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3284-1092-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3292-290-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3304-515-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3328-219-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3344-914-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3352-386-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3352-194-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3400-690-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3412-996-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3420-706-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3460-289-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3460-274-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3524-66-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3552-972-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3552-1332-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3560-23-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3712-754-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3752-802-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3752-273-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/3760-417-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3836-834-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3928-1076-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3932-1172-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3960-62-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/3960-77-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4016-948-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4016-964-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4032-354-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4036-385-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4100-370-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4140-1268-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4272-497-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4312-722-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4336-1428-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4356-500-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4372-738-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4416-130-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4488-402-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4508-196-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4552-87-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4580-418-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4592-610-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4624-1220-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4628-658-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4688-1396-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4740-1060-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4752-1364-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4800-1444-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4836-272-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4900-1012-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4916-466-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/4920-53-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4920-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4936-898-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4952-882-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4968-930-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5020-546-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5024-85-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5024-106-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/5040-450-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5052-174-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5056-46-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download
memory/5088-71-0x0000000000400000-0x0000000000415000-memory.dmp

Filesize
84KB

Download