27f10960594dc8b1c59001087b6027c19a583bea16ce4cac19efa71ed0b2e548

Analysis

max time kernel
77s
max time network
124s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
24/08/2024, 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf38333a1243cf12ea3216cc2f07bd24_JaffaCakes118.exe
Size

28KB
MD5

bf38333a1243cf12ea3216cc2f07bd24
SHA1

53c8653bc4cf317b3d8c1cdbd9aa6a65b8bdc308
SHA256

27f10960594dc8b1c59001087b6027c19a583bea16ce4cac19efa71ed0b2e548
SHA512

84ba45f4fefc3bc70cf470c11a93ddf1613df5aa1562bd808020b916c9ced96bcfd45a67ad78fcf7c986686586a1cc19e49ad44977d4ed06a229350248818c11
SSDEEP

768:SKH3OqDqRniZdPHeELIO3FrDyUxfha5G:SKXvGmdfeEsetOmP

Score

7^/10

aspackv2 discovery

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0005000000010300-8.dat	aspack_v212_v242

Executes dropped EXE 64 IoCs

pid	Process
2640	wintemp.exe
2644	wintemp.exe
2540	wintemp.exe
2084	wintemp.exe
1940	wintemp.exe
1956	wintemp.exe
2772	wintemp.exe
1220	wintemp.exe
2612	wintemp.exe
2860	wintemp.exe
2104	wintemp.exe
588	wintemp.exe
1240	wintemp.exe
2160	wintemp.exe
2184	wintemp.exe
748	wintemp.exe
108	wintemp.exe
1512	wintemp.exe
2380	wintemp.exe
3032	wintemp.exe
1676	wintemp.exe
3052	wintemp.exe
1316	wintemp.exe
2388	wintemp.exe
1320	wintemp.exe
2436	wintemp.exe
1616	wintemp.exe
2832	wintemp.exe
2852	wintemp.exe
2664	wintemp.exe
1564	wintemp.exe
2480	wintemp.exe
656	wintemp.exe
1524	wintemp.exe
1440	wintemp.exe
3024	wintemp.exe
2496	wintemp.exe
1496	wintemp.exe
2740	wintemp.exe
2600	wintemp.exe
2212	wintemp.exe
540	wintemp.exe
2348	wintemp.exe
1976	wintemp.exe
1896	wintemp.exe
2160	wintemp.exe
2236	wintemp.exe
1372	wintemp.exe
820	wintemp.exe
1636	wintemp.exe
1512	wintemp.exe
2992	wintemp.exe
3032	wintemp.exe
1096	wintemp.exe
2044	wintemp.exe
1032	wintemp.exe
2268	wintemp.exe
1584	wintemp.exe
2656	wintemp.exe
2320	wintemp.exe
2812	wintemp.exe
2208	wintemp.exe
2584	wintemp.exe
2560	wintemp.exe

Loads dropped DLL 64 IoCs

pid	Process
2852	bf38333a1243cf12ea3216cc2f07bd24_JaffaCakes118.exe
2852	bf38333a1243cf12ea3216cc2f07bd24_JaffaCakes118.exe
2640	wintemp.exe
2640	wintemp.exe
2644	wintemp.exe
2644	wintemp.exe
2540	wintemp.exe
2540	wintemp.exe
2084	wintemp.exe
2084	wintemp.exe
1940	wintemp.exe
1940	wintemp.exe
1956	wintemp.exe
1956	wintemp.exe
2772	wintemp.exe
2772	wintemp.exe
1220	wintemp.exe
1220	wintemp.exe
2612	wintemp.exe
2612	wintemp.exe
2860	wintemp.exe
2860	wintemp.exe
2104	wintemp.exe
2104	wintemp.exe
588	wintemp.exe
588	wintemp.exe
1240	wintemp.exe
1240	wintemp.exe
2160	wintemp.exe
2160	wintemp.exe
2184	wintemp.exe
2184	wintemp.exe
748	wintemp.exe
748	wintemp.exe
108	wintemp.exe
108	wintemp.exe
1512	wintemp.exe
1512	wintemp.exe
2380	wintemp.exe
2380	wintemp.exe
3032	wintemp.exe
3032	wintemp.exe
1676	wintemp.exe
1676	wintemp.exe
3052	wintemp.exe
3052	wintemp.exe
1316	wintemp.exe
1316	wintemp.exe
2388	wintemp.exe
2388	wintemp.exe
1320	wintemp.exe
1320	wintemp.exe
2436	wintemp.exe
2436	wintemp.exe
1616	wintemp.exe
1616	wintemp.exe
2832	wintemp.exe
2832	wintemp.exe
2852	wintemp.exe
2852	wintemp.exe
2664	wintemp.exe
2664	wintemp.exe
1564	wintemp.exe
1564	wintemp.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe
File opened for modification	\??\c:\windows\syswow64\wintemp.exe	wintemp.exe
File created	\??\c:\windows\SysWOW64\wintemp.exe	wintemp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wintemp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2640	2852	bf38333a1243cf12ea3216cc2f07bd24_JaffaCakes118.exe	30
PID 2852 wrote to memory of 2640	2852	bf38333a1243cf12ea3216cc2f07bd24_JaffaCakes118.exe	30
PID 2852 wrote to memory of 2640	2852	bf38333a1243cf12ea3216cc2f07bd24_JaffaCakes118.exe	30
PID 2852 wrote to memory of 2640	2852	bf38333a1243cf12ea3216cc2f07bd24_JaffaCakes118.exe	30
PID 2640 wrote to memory of 2644	2640	wintemp.exe	31
PID 2640 wrote to memory of 2644	2640	wintemp.exe	31
PID 2640 wrote to memory of 2644	2640	wintemp.exe	31
PID 2640 wrote to memory of 2644	2640	wintemp.exe	31
PID 2644 wrote to memory of 2540	2644	wintemp.exe	32
PID 2644 wrote to memory of 2540	2644	wintemp.exe	32
PID 2644 wrote to memory of 2540	2644	wintemp.exe	32
PID 2644 wrote to memory of 2540	2644	wintemp.exe	32
PID 2540 wrote to memory of 2084	2540	wintemp.exe	33
PID 2540 wrote to memory of 2084	2540	wintemp.exe	33
PID 2540 wrote to memory of 2084	2540	wintemp.exe	33
PID 2540 wrote to memory of 2084	2540	wintemp.exe	33
PID 2084 wrote to memory of 1940	2084	wintemp.exe	34
PID 2084 wrote to memory of 1940	2084	wintemp.exe	34
PID 2084 wrote to memory of 1940	2084	wintemp.exe	34
PID 2084 wrote to memory of 1940	2084	wintemp.exe	34
PID 1940 wrote to memory of 1956	1940	wintemp.exe	35
PID 1940 wrote to memory of 1956	1940	wintemp.exe	35
PID 1940 wrote to memory of 1956	1940	wintemp.exe	35
PID 1940 wrote to memory of 1956	1940	wintemp.exe	35
PID 1956 wrote to memory of 2772	1956	wintemp.exe	36
PID 1956 wrote to memory of 2772	1956	wintemp.exe	36
PID 1956 wrote to memory of 2772	1956	wintemp.exe	36
PID 1956 wrote to memory of 2772	1956	wintemp.exe	36
PID 2772 wrote to memory of 1220	2772	wintemp.exe	37
PID 2772 wrote to memory of 1220	2772	wintemp.exe	37
PID 2772 wrote to memory of 1220	2772	wintemp.exe	37
PID 2772 wrote to memory of 1220	2772	wintemp.exe	37
PID 1220 wrote to memory of 2612	1220	wintemp.exe	38
PID 1220 wrote to memory of 2612	1220	wintemp.exe	38
PID 1220 wrote to memory of 2612	1220	wintemp.exe	38
PID 1220 wrote to memory of 2612	1220	wintemp.exe	38
PID 2612 wrote to memory of 2860	2612	wintemp.exe	39
PID 2612 wrote to memory of 2860	2612	wintemp.exe	39
PID 2612 wrote to memory of 2860	2612	wintemp.exe	39
PID 2612 wrote to memory of 2860	2612	wintemp.exe	39
PID 2860 wrote to memory of 2104	2860	wintemp.exe	40
PID 2860 wrote to memory of 2104	2860	wintemp.exe	40
PID 2860 wrote to memory of 2104	2860	wintemp.exe	40
PID 2860 wrote to memory of 2104	2860	wintemp.exe	40
PID 2104 wrote to memory of 588	2104	wintemp.exe	41
PID 2104 wrote to memory of 588	2104	wintemp.exe	41
PID 2104 wrote to memory of 588	2104	wintemp.exe	41
PID 2104 wrote to memory of 588	2104	wintemp.exe	41
PID 588 wrote to memory of 1240	588	wintemp.exe	42
PID 588 wrote to memory of 1240	588	wintemp.exe	42
PID 588 wrote to memory of 1240	588	wintemp.exe	42
PID 588 wrote to memory of 1240	588	wintemp.exe	42
PID 1240 wrote to memory of 2160	1240	wintemp.exe	43
PID 1240 wrote to memory of 2160	1240	wintemp.exe	43
PID 1240 wrote to memory of 2160	1240	wintemp.exe	43
PID 1240 wrote to memory of 2160	1240	wintemp.exe	43
PID 2160 wrote to memory of 2184	2160	wintemp.exe	44
PID 2160 wrote to memory of 2184	2160	wintemp.exe	44
PID 2160 wrote to memory of 2184	2160	wintemp.exe	44
PID 2160 wrote to memory of 2184	2160	wintemp.exe	44
PID 2184 wrote to memory of 748	2184	wintemp.exe	45
PID 2184 wrote to memory of 748	2184	wintemp.exe	45
PID 2184 wrote to memory of 748	2184	wintemp.exe	45
PID 2184 wrote to memory of 748	2184	wintemp.exe	45

C:\Users\Admin\AppData\Local\Temp\bf38333a1243cf12ea3216cc2f07bd24_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bf38333a1243cf12ea3216cc2f07bd24_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2852
- C:\windows\SysWOW64\wintemp.exe
  "C:\windows\system32\wintemp.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\windows\SysWOW64\wintemp.exe
    "C:\windows\system32\wintemp.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2644
  - - C:\windows\SysWOW64\wintemp.exe
      "C:\windows\system32\wintemp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2084
      - C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2104
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:588
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2184
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:748
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:108
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1512
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2380
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3032
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1676
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        23⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:3052
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1316
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        25⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2388
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1320
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        27⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2436
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:1616
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        29⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in System32 directory
        
        PID:2832
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2852
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        31⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2664
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1564
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        33⤵
        Executes dropped EXE
        
        PID:2480
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        34⤵
        Executes dropped EXE
        
        PID:656
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        35⤵
        Executes dropped EXE
        
        PID:1524
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        36⤵
        Executes dropped EXE
        
        PID:1440
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        37⤵
        Executes dropped EXE
        
        PID:3024
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        38⤵
        Executes dropped EXE
        
        PID:2496
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1496
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2740
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        41⤵
        Executes dropped EXE
        
        PID:2600
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        42⤵
        Executes dropped EXE
        
        PID:2212
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        43⤵
        Executes dropped EXE
        
        PID:540
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        44⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        45⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1976
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        46⤵
        Executes dropped EXE
        
        PID:1896
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        47⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        48⤵
        Executes dropped EXE
        
        PID:2236
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        49⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        50⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:820
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        51⤵
        Executes dropped EXE
        
        PID:1636
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1512
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        53⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2992
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        54⤵
        Executes dropped EXE
        
        PID:3032
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        55⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:1096
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        56⤵
        Executes dropped EXE
        
        PID:2044
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        57⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        58⤵
        Executes dropped EXE
        
        PID:2268
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        59⤵
        Executes dropped EXE
        
        PID:1584
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        60⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        61⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        62⤵
        Executes dropped EXE
        
        PID:2812
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        63⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2208
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        64⤵
        Executes dropped EXE
        
        PID:2584
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        65⤵
        Executes dropped EXE
        Drops file in System32 directory
        
        PID:2560
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:816
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        67⤵
        Drops file in System32 directory
        
        PID:2292
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:1276
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        69⤵
        
        PID:3016
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        70⤵
        
        PID:2936
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        71⤵
        Drops file in System32 directory
        
        PID:2908
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        72⤵
        
        PID:444
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        73⤵
        
        PID:2056
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        74⤵
        
        PID:684
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        75⤵
        Drops file in System32 directory
        
        PID:2104
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        76⤵
        
        PID:2076
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        77⤵
        
        PID:2356
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        78⤵
        Drops file in System32 directory
        
        PID:2220
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        79⤵
        
        PID:1696
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        80⤵
        Drops file in System32 directory
        
        PID:2184
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        81⤵
        
        PID:748
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        82⤵
        
        PID:2396
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        83⤵
        
        PID:2984
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        84⤵
        
        PID:1888
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        85⤵
        
        PID:1600
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        86⤵
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        87⤵
        
        PID:380
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        88⤵
        Drops file in System32 directory
        
        PID:2248
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        89⤵
        
        PID:1288
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        90⤵
        
        PID:1508
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        91⤵
        
        PID:2824
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        92⤵
        
        PID:2808
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        93⤵
        
        PID:2308
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        94⤵
        
        PID:2848
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        95⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        96⤵
        
        PID:2644
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        97⤵
        Drops file in System32 directory
        
        PID:2912
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        98⤵
        
        PID:2724
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        99⤵
        
        PID:744
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        100⤵
        Drops file in System32 directory
        
        PID:2692
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        101⤵
        
        PID:3024
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        102⤵
        
        PID:2496
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        103⤵
        
        PID:2800
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        104⤵
        
        PID:2612
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        105⤵
        
        PID:1864
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        106⤵
        
        PID:2344
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        107⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        108⤵
        
        PID:592
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        109⤵
        
        PID:1240
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        110⤵
        
        PID:2460
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:1756
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        113⤵
        
        PID:2952
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        114⤵
        Drops file in System32 directory
        
        PID:1556
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        115⤵
        
        PID:1796
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        116⤵
        Drops file in System32 directory
        
        PID:1984
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        117⤵
        
        PID:2992
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        118⤵
        
        PID:980
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        119⤵
        Drops file in System32 directory
        
        PID:2264
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        120⤵
        
        PID:1528
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        121⤵
        
        PID:872
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        122⤵
        
        PID:2444
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        123⤵
        
        PID:2196
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        124⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2764
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        125⤵
        System Location Discovery: System Language Discovery
        
        PID:2884
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        126⤵
        
        PID:2680
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        127⤵
        
        PID:2996
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        128⤵
        
        PID:2060
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        129⤵
        
        PID:2032
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        130⤵
        
        PID:2004
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        131⤵
        
        PID:3020
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        132⤵
        Drops file in System32 directory
        
        PID:2300
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        133⤵
        
        PID:2736
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        134⤵
        
        PID:2940
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        135⤵
        
        PID:1184
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        136⤵
        
        PID:340
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        137⤵
        
        PID:536
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        138⤵
        
        PID:2192
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        139⤵
        
        PID:3036
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        140⤵
        
        PID:2204
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        141⤵
        
        PID:792
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        142⤵
        
        PID:1104
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        143⤵
        
        PID:1384
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        144⤵
        
        PID:1760
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        145⤵
        
        PID:884
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        146⤵
        
        PID:1876
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:1548
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        148⤵
        Drops file in System32 directory
        
        PID:376
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        149⤵
        
        PID:1860
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        150⤵
        
        PID:604
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        151⤵
        
        PID:1168
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        152⤵
        
        PID:1304
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        153⤵
        
        PID:2596
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        154⤵
        
        PID:2436
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        155⤵
        
        PID:1612
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        156⤵
        
        PID:2776
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        157⤵
        Drops file in System32 directory
        
        PID:2988
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        158⤵
        
        PID:2816
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        159⤵
        Drops file in System32 directory
        
        PID:2664
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        160⤵
        Drops file in System32 directory
        
        PID:344
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:1960
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        162⤵
        
        PID:1216
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        163⤵
        
        PID:2628
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        164⤵
        
        PID:2772
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        165⤵
        Drops file in System32 directory
        
        PID:1496
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:2496
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:2728
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        168⤵
        
        PID:2304
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        169⤵
        
        PID:2052
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        170⤵
        
        PID:2064
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        171⤵
        
        PID:588
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        172⤵
        
        PID:3036
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        173⤵
        
        PID:2204
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        174⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        175⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1104
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        176⤵
        
        PID:1384
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        177⤵
        
        PID:1372
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        178⤵
        
        PID:748
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        179⤵
        
        PID:2380
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        180⤵
        
        PID:1872
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        181⤵
        
        PID:1512
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        182⤵
        
        PID:1860
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        183⤵
        
        PID:1316
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        184⤵
        
        PID:1308
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        185⤵
        Drops file in System32 directory
        
        PID:2888
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        186⤵
        System Location Discovery: System Language Discovery
        
        PID:568
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        187⤵
        
        PID:1064
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        188⤵
        
        PID:988
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        189⤵
        
        PID:2784
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        190⤵
        
        PID:2988
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        191⤵
        System Location Discovery: System Language Discovery
        
        PID:2672
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        192⤵
        
        PID:1524
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        193⤵
        
        PID:2932
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        194⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1312
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        195⤵
        
        PID:1196
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        196⤵
        
        PID:1484
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        198⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        199⤵
        Drops file in System32 directory
        
        PID:1136
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        200⤵
        
        PID:2728
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        201⤵
        
        PID:2788
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        202⤵
        
        PID:2352
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        203⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        204⤵
        
        PID:588
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        205⤵
        
        PID:968
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        206⤵
        System Location Discovery: System Language Discovery
        
        PID:2204
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        207⤵
        
        PID:2184
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        208⤵
        System Location Discovery: System Language Discovery
        
        PID:1760
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:1636
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        211⤵
        
        PID:2468
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        212⤵
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        213⤵
        
        PID:1676
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        214⤵
        Drops file in System32 directory
        
        PID:1780
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        215⤵
        Drops file in System32 directory
        
        PID:632
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        216⤵
        Drops file in System32 directory
        
        PID:1316
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        217⤵
        
        PID:1288
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        218⤵
        System Location Discovery: System Language Discovery
        
        PID:2268
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        219⤵
        
        PID:1228
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        220⤵
        
        PID:1064
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        221⤵
        
        PID:3012
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        222⤵
        
        PID:2756
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        223⤵
        Drops file in System32 directory
        
        PID:2812
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        224⤵
        Drops file in System32 directory
        
        PID:2208
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        225⤵
        
        PID:2060
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        226⤵
        Drops file in System32 directory
        
        PID:2544
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        227⤵
        
        PID:1940
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        228⤵
        Drops file in System32 directory
        
        PID:2300
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        229⤵
        
        PID:2580
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        230⤵
        
        PID:2752
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        231⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2124
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        232⤵
        
        PID:2176
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        233⤵
        
        PID:2324
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        234⤵
        Drops file in System32 directory
        
        PID:1864
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        235⤵
        
        PID:1048
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        236⤵
        System Location Discovery: System Language Discovery
        
        PID:2340
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        237⤵
        
        PID:2128
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        238⤵
        
        PID:2220
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        239⤵
        Drops file in System32 directory
        
        PID:2460
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        240⤵
        
        PID:2416
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        241⤵
        
        PID:1760
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        242⤵
        
        PID:1488
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        243⤵
        Drops file in System32 directory
        
        PID:2148
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        244⤵
        
        PID:108
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        245⤵
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        246⤵
        Drops file in System32 directory
        
        PID:1676
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        247⤵
        
        PID:892
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        248⤵
        
        PID:1660
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        249⤵
        
        PID:1528
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        250⤵
        
        PID:2516
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        251⤵
        Drops file in System32 directory
        
        PID:2268
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        252⤵
        
        PID:1584
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        253⤵
        
        PID:2884
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        254⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        255⤵
        Drops file in System32 directory
        
        PID:2756
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        256⤵
        
        PID:2848
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        257⤵
        
        PID:2088
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        258⤵
        System Location Discovery: System Language Discovery
        
        PID:2932
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        259⤵
        
        PID:1924
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        260⤵
        
        PID:2448
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        261⤵
        Drops file in System32 directory
        
        PID:3000
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        262⤵
        
        PID:2916
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        263⤵
        
        PID:2572
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        264⤵
        
        PID:2860
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        265⤵
        
        PID:764
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        266⤵
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        267⤵
        Drops file in System32 directory
        
        PID:2348
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        268⤵
        Drops file in System32 directory
        
        PID:1936
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        269⤵
        
        PID:2136
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        270⤵
        
        PID:2316
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        271⤵
        
        PID:1532
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        272⤵
        
        PID:836
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        273⤵
        
        PID:1340
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        274⤵
        System Location Discovery: System Language Discovery
        
        PID:1372
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        275⤵
        
        PID:1988
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        276⤵
        
        PID:2468
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        277⤵
        
        PID:1984
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        278⤵
        
        PID:1792
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        279⤵
        
        PID:2152
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        280⤵
        
        PID:3048
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        281⤵
        
        PID:2596
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        282⤵
        
        PID:2228
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        283⤵
        
        PID:1616
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        284⤵
        
        PID:3064
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        285⤵
        
        PID:988
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        286⤵
        
        PID:2656
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        287⤵
        
        PID:1380
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        288⤵
        
        PID:1684
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        289⤵
        
        PID:2552
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        290⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        291⤵
        
        PID:744
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        292⤵
        
        PID:2144
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        293⤵
        
        PID:920
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        294⤵
        
        PID:2940
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        295⤵
        Drops file in System32 directory
        
        PID:2744
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        296⤵
        Drops file in System32 directory
        
        PID:2612
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        297⤵
        System Location Discovery: System Language Discovery
        
        PID:340
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        298⤵
        System Location Discovery: System Language Discovery
        
        PID:2600
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        299⤵
        Drops file in System32 directory
        
        PID:2188
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        300⤵
        Drops file in System32 directory
        
        PID:2736
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        301⤵
        
        PID:2076
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        302⤵
        System Location Discovery: System Language Discovery
        
        PID:1176
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        303⤵
        
        PID:2100
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        304⤵
        
        PID:2184
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        305⤵
        
        PID:1020
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        306⤵
        
        PID:2096
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        307⤵
        
        PID:1372
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        308⤵
        System Location Discovery: System Language Discovery
        
        PID:1988
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        309⤵
        
        PID:3060
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        310⤵
        
        PID:2992
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        311⤵
        
        PID:2388
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        312⤵
        Drops file in System32 directory
        
        PID:2372
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        313⤵
        
        PID:892
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        314⤵
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        315⤵
        
        PID:1528
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        316⤵
        
        PID:772
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        317⤵
        
        PID:1068
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        318⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3064
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        319⤵
        
        PID:2480
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        320⤵
        
        PID:2716
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        321⤵
        
        PID:2400
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        322⤵
        
        PID:2848
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        323⤵
        
        PID:1312
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        324⤵
        
        PID:932
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        325⤵
        
        PID:3020
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        326⤵
        
        PID:2476
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        327⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1484
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        328⤵
        Drops file in System32 directory
        
        PID:2940
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        329⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        330⤵
        
        PID:2612
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        331⤵
        
        PID:340
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        332⤵
        
        PID:2936
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        333⤵
        
        PID:336
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        334⤵
        
        PID:1896
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        335⤵
        
        PID:1892
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        336⤵
        
        PID:2204
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        337⤵
        System Location Discovery: System Language Discovery
        
        PID:2316
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        338⤵
        
        PID:1532
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        339⤵
        
        PID:1404
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        340⤵
        Drops file in System32 directory
        
        PID:1760
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        341⤵
        System Location Discovery: System Language Discovery
        
        PID:1868
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        342⤵
        
        PID:1672
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        343⤵
        System Location Discovery: System Language Discovery
        
        PID:3060
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        344⤵
        
        PID:108
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        345⤵
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1492
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        346⤵
        System Location Discovery: System Language Discovery
        
        PID:288
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        347⤵
        
        PID:2808
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        348⤵
        
        PID:2436
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        349⤵
        System Location Discovery: System Language Discovery
        
        PID:1260
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        350⤵
        System Location Discovery: System Language Discovery
        
        PID:828
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        351⤵
        
        PID:2332
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        352⤵
        
        PID:1004
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        353⤵
        
        PID:2648
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        354⤵
        System Location Discovery: System Language Discovery
        
        PID:2784
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        355⤵
        
        PID:2616
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        356⤵
        
        PID:2988
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        357⤵
        
        PID:2032
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        358⤵
        
        PID:2060
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        359⤵
        
        PID:1692
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        360⤵
        
        PID:744
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        361⤵
        
        PID:2692
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        362⤵
        
        PID:2608
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        363⤵
        
        PID:1140
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        364⤵
        
        PID:2792
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        365⤵
        
        PID:2572
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        366⤵
        
        PID:2860
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        367⤵
        
        PID:668
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        368⤵
        
        PID:1976
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        369⤵
        
        PID:2312
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        370⤵
        
        PID:2340
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        371⤵
        
        PID:868
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        372⤵
        
        PID:1756
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        373⤵
        
        PID:2172
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        374⤵
        
        PID:1340
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        375⤵
        
        PID:2396
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        376⤵
        
        PID:1796
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        377⤵
        
        PID:2468
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        378⤵
        
        PID:1988
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        379⤵
        
        PID:1792
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        380⤵
        
        PID:2440
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        381⤵
        
        PID:632
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        382⤵
        
        PID:1316
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        383⤵
        
        PID:1660
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        384⤵
        
        PID:2852
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        385⤵
        
        PID:1652
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        386⤵
        
        PID:2636
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        387⤵
        
        PID:1712
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        388⤵
        
        PID:2528
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        389⤵
        
        PID:2120
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        390⤵
        
        PID:2816
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        391⤵
        
        PID:2664
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        392⤵
        
        PID:1956
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        393⤵
        
        PID:904
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        394⤵
        
        PID:2864
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        395⤵
        
        PID:816
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        396⤵
        
        PID:1148
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        397⤵
        
        PID:920
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        398⤵
        
        PID:2804
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        399⤵
        
        PID:2752
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        400⤵
        
        PID:912
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        401⤵
        
        PID:2364
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        402⤵
        
        PID:764
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        403⤵
        
        PID:1748
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        404⤵
        
        PID:3036
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        405⤵
        
        PID:2908
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        406⤵
        
        PID:2312
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        407⤵
        
        PID:2112
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        408⤵
        
        PID:868
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        409⤵
        
        PID:1884
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        410⤵
        
        PID:2172
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        411⤵
        
        PID:1384
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        412⤵
        
        PID:376
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        413⤵
        
        PID:1796
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        414⤵
        
        PID:1812
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        415⤵
        
        PID:3032
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        416⤵
        
        PID:2252
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        417⤵
        
        PID:2440
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        418⤵
        
        PID:2660
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        419⤵
        
        PID:2028
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        420⤵
        
        PID:1660
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        421⤵
        
        PID:2268
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        422⤵
        
        PID:1608
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        423⤵
        
        PID:2516
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        424⤵
        
        PID:1968
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        425⤵
        
        PID:3064
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        426⤵
        
        PID:2480
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        427⤵
        
        PID:2716
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        428⤵
        
        PID:2912
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        429⤵
        
        PID:1272
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        430⤵
        
        PID:904
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        431⤵
        
        PID:1688
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        432⤵
        
        PID:2560
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        433⤵
        
        PID:1100
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        434⤵
        
        PID:2608
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        435⤵
        
        PID:2916
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        436⤵
        
        PID:2752
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        437⤵
        
        PID:1184
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        438⤵
        
        PID:2524
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        439⤵
        
        PID:668
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        440⤵
        
        PID:2600
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        441⤵
        
        PID:2104
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        442⤵
        
        PID:2860
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        443⤵
        
        PID:2460
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        444⤵
        
        PID:1568
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        445⤵
        
        PID:2472
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        446⤵
        
        PID:1300
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        447⤵
        
        PID:1372
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        448⤵
        
        PID:304
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        449⤵
        
        PID:1948
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        450⤵
        
        PID:380
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        451⤵
        
        PID:2248
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        452⤵
        
        PID:1488
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        453⤵
        
        PID:2388
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        454⤵
        
        PID:2228
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        455⤵
        
        PID:2764
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        456⤵
        
        PID:2844
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        457⤵
        
        PID:2432
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        458⤵
        
        PID:1708
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        459⤵
        
        PID:1040
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        460⤵
        
        PID:2564
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        461⤵
        
        PID:2512
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        462⤵
        
        PID:3064
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        463⤵
        
        PID:2480
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        464⤵
        
        PID:2276
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        465⤵
        
        PID:2912
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        466⤵
        
        PID:916
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        467⤵
        
        PID:904
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        468⤵
        
        PID:744
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        469⤵
        
        PID:2560
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        470⤵
        
        PID:2692
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        471⤵
        
        PID:3000
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        472⤵
        
        PID:2916
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        473⤵
        
        PID:2752
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        474⤵
        
        PID:2612
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        475⤵
        
        PID:1976
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        476⤵
        
        PID:668
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        477⤵
        
        PID:3036
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        478⤵
        
        PID:2908
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        479⤵
        
        PID:2160
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        480⤵
        
        PID:1540
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        481⤵
        
        PID:2184
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        482⤵
        
        PID:1404
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        483⤵
        
        PID:888
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        484⤵
        
        PID:2856
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        485⤵
        
        PID:1984
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        486⤵
        
        PID:1672
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        487⤵
        
        PID:1780
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        488⤵
        
        PID:108
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        489⤵
        
        PID:1680
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        490⤵
        
        PID:2596
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        491⤵
        
        PID:2824
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        492⤵
        
        PID:2808
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        493⤵
        
        PID:1652
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        494⤵
        
        PID:2532
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        495⤵
        
        PID:2652
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        496⤵
        
        PID:2516
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        497⤵
        
        PID:2776
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        498⤵
        
        PID:2756
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        499⤵
        
        PID:2584
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        500⤵
        
        PID:2084
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        501⤵
        
        PID:2604
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        502⤵
        
        PID:2732
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        503⤵
        
        PID:2060
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        504⤵
        
        PID:816
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        505⤵
        
        PID:904
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        506⤵
        
        PID:2144
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        507⤵
        
        PID:540
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        508⤵
        
        PID:2692
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        509⤵
        
        PID:2940
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        510⤵
        
        PID:2364
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        511⤵
        
        PID:2752
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        512⤵
        
        PID:2016
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        513⤵
        
        PID:1976
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        514⤵
        
        PID:668
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        515⤵
        
        PID:1896
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        516⤵
        
        PID:2908
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        517⤵
        
        PID:1176
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        518⤵
        
        PID:1532
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        519⤵
        
        PID:692
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        520⤵
        
        PID:2296
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        521⤵
        
        PID:1512
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        522⤵
        
        PID:604
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        523⤵
        
        PID:1948
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        524⤵
        
        PID:380
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        525⤵
        
        PID:2372
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        526⤵
        
        PID:2820
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        527⤵
        
        PID:288
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        528⤵
        
        PID:1288
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        529⤵
        
        PID:1664
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        530⤵
        
        PID:1660
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        531⤵
        
        PID:1996
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        532⤵
        
        PID:2508
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        533⤵
        
        PID:2536
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        534⤵
        
        PID:2760
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        535⤵
        
        PID:2360
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        536⤵
        
        PID:2208
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        537⤵
        
        PID:1956
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        538⤵
        
        PID:2724
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        539⤵
        
        PID:2912
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        540⤵
        
        PID:2544
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        541⤵
        
        PID:1688
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        542⤵
        
        PID:904
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        543⤵
        
        PID:2144
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        544⤵
        
        PID:540
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        545⤵
        
        PID:2692
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        546⤵
        
        PID:2744
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        547⤵
        
        PID:536
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        548⤵
        
        PID:2560
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        549⤵
        
        PID:2600
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        550⤵
        
        PID:1976
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        551⤵
        
        PID:2136
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        552⤵
        
        PID:2952
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        553⤵
        
        PID:2316
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        554⤵
        
        PID:1176
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        555⤵
        
        PID:1532
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        556⤵
        
        PID:484
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        557⤵
        
        PID:1408
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        558⤵
        
        PID:1888
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        559⤵
        
        PID:2396
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        560⤵
        
        PID:1948
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        561⤵
        
        PID:2264
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        562⤵
        
        PID:2984
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        563⤵
        
        PID:1680
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        564⤵
        
        PID:2888
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        565⤵
        
        PID:1308
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        566⤵
        
        PID:1772
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        567⤵
        
        PID:2288
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        568⤵
        
        PID:1996
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        569⤵
        
        PID:2508
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        570⤵
        
        PID:1528
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        571⤵
        
        PID:1380
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        572⤵
        
        PID:2664
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        573⤵
        
        PID:2480
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        574⤵
        
        PID:3028
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        575⤵
        
        PID:2552
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        576⤵
        
        PID:2628
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        577⤵
        
        PID:1524
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        578⤵
        
        PID:2924
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        579⤵
        
        PID:2020
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        580⤵
        
        PID:2928
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        581⤵
        
        PID:972
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        582⤵
        
        PID:2692
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        583⤵
        
        PID:1048
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        584⤵
        
        PID:536
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        585⤵
        
        PID:1724
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        586⤵
        
        PID:2728
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        587⤵
        
        PID:1896
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        588⤵
        
        PID:2112
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        589⤵
        
        PID:1760
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        590⤵
        
        PID:2184
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        591⤵
        
        PID:752
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        592⤵
        
        PID:3044
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        593⤵
        
        PID:2856
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        594⤵
        
        PID:1600
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        595⤵
        
        PID:2392
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        596⤵
        
        PID:2044
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        597⤵
        
        PID:1488
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        598⤵
        
        PID:2372
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        599⤵
        
        PID:2820
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        600⤵
        
        PID:1992
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        601⤵
        
        PID:1060
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        602⤵
        
        PID:2640
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        603⤵
        
        PID:1228
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        604⤵
        
        PID:2780
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        605⤵
        
        PID:2564
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        606⤵
        
        PID:1968
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        607⤵
        
        PID:3064
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        608⤵
        
        PID:2084
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        609⤵
        
        PID:2400
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        610⤵
        
        PID:932
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        611⤵
        
        PID:1940
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        612⤵
        
        PID:2448
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        613⤵
        
        PID:1276
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        614⤵
        
        PID:1136
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        615⤵
        
        PID:2892
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        616⤵
        
        PID:3000
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        617⤵
        
        PID:2940
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        618⤵
        
        PID:2744
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        619⤵
        
        PID:1864
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        620⤵
        
        PID:968
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        621⤵
        
        PID:1740
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        622⤵
        
        PID:1900
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        623⤵
        
        PID:836
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        624⤵
        
        PID:2132
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        625⤵
        
        PID:588
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        626⤵
        
        PID:1300
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        627⤵
        
        PID:2380
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        628⤵
        
        PID:1340
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        629⤵
        
        PID:1580
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        630⤵
        
        PID:1888
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        631⤵
        
        PID:3060
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        632⤵
        
        PID:892
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        633⤵
        
        PID:2196
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        634⤵
        
        PID:2596
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        635⤵
        
        PID:2764
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        636⤵
        
        PID:1032
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        637⤵
        
        PID:2532
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        638⤵
        
        PID:380
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        639⤵
        
        PID:2832
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        640⤵
        
        PID:2536
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        641⤵
        
        PID:2512
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        642⤵
        
        PID:2756
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        643⤵
        
        PID:2668
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        644⤵
        
        PID:2616
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        645⤵
        
        PID:1440
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        646⤵
        
        PID:1220
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        647⤵
        
        PID:2772
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        648⤵
        
        PID:1064
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        649⤵
        
        PID:2300
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        650⤵
        
        PID:1100
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        651⤵
        
        PID:2748
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        652⤵
        
        PID:2344
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        653⤵
        
        PID:2304
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        654⤵
        
        PID:2064
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        655⤵
        
        PID:340
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        656⤵
        
        PID:2600
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        657⤵
        
        PID:1656
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        658⤵
        
        PID:1332
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        659⤵
        
        PID:1628
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        660⤵
        
        PID:948
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        661⤵
        
        PID:1872
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        662⤵
        
        PID:2172
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        663⤵
        
        PID:2412
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        664⤵
        
        PID:1972
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        665⤵
        
        PID:2856
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        666⤵
        
        PID:1988
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        667⤵
        
        PID:864
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        668⤵
        
        PID:1948
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        669⤵
        
        PID:2388
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        670⤵
        
        PID:2156
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        671⤵
        
        PID:1676
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        672⤵
        
        PID:828
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        673⤵
        
        PID:1308
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        674⤵
        
        PID:1584
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        675⤵
        
        PID:1068
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        676⤵
        
        PID:2680
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        677⤵
        
        PID:2360
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        678⤵
        
        PID:2208
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        679⤵
        
        PID:2620
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        680⤵
        
        PID:2004
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        681⤵
        
        PID:1148
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        682⤵
        
        PID:920
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        683⤵
        
        PID:816
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        684⤵
        
        PID:1484
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        685⤵
        
        PID:2924
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        686⤵
        
        PID:2176
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        687⤵
        
        PID:2284
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        688⤵
        
        PID:912
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        689⤵
        
        PID:2036
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        690⤵
        
        PID:1748
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        691⤵
        
        PID:2116
        
        C:\windows\SysWOW64\wintemp.exe
        
        "C:\windows\system32\wintemp.exe"
        692⤵
        
        PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\wintemp.exe

Filesize
28KB

MD5
bf38333a1243cf12ea3216cc2f07bd24

SHA1
53c8653bc4cf317b3d8c1cdbd9aa6a65b8bdc308

SHA256
27f10960594dc8b1c59001087b6027c19a583bea16ce4cac19efa71ed0b2e548

SHA512
84ba45f4fefc3bc70cf470c11a93ddf1613df5aa1562bd808020b916c9ced96bcfd45a67ad78fcf7c986686586a1cc19e49ad44977d4ed06a229350248818c11

Download Submit
memory/108-80-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/540-105-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/588-60-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/656-96-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/748-78-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/820-112-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1032-119-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1096-117-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1220-43-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1240-65-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1316-86-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1320-88-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1372-111-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1440-98-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1496-101-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1512-114-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1512-81-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1524-97-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1564-94-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1584-121-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1616-90-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1636-113-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1676-84-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1896-108-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1940-31-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1956-35-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/1976-107-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2044-118-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2084-26-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2104-56-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2160-109-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2160-69-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2184-74-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2208-125-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2212-104-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2236-110-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2268-120-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2320-123-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2348-106-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2380-82-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2388-87-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2436-89-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2480-95-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2496-100-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2540-22-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2584-126-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2600-103-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2612-47-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2640-14-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2644-18-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2656-122-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2664-93-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2740-102-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2772-38-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2812-124-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2832-91-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2852-92-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2852-9-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2860-51-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/2992-115-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3024-99-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3032-116-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3032-83-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/3052-85-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download