neshta | af27c5ab9e64db813ad6a8636af0462f5323eca30c67fef5d9f0a1e684658a9b

Virtualization/Sandbox Evasion

Processes:

HID.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	HID.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

HID.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	HID.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	HID.exe

Drops startup file 64 IoCs

Processes:

explorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exeexplorer.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ufr_reports	explorer.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe	explorer.exe

Executes dropped EXE 64 IoCs

Processes:

HID.exeHID.exesvchost.comexplorer.exesvchost.comHID.exeexplorer.exesvchost.comHID.exesvchost.comexplorer.exesvchost.comHID.exeexplorer.exesvchost.comHID.exesvchost.comsvchost.comHID.exeexplorer.exeexplorer.exesvchost.comHID.exesvchost.comsvchost.comexplorer.exeexplorer.exeHID.exesvchost.comHID.exesvchost.comsvchost.comHID.exeexplorer.exeexplorer.exesvchost.comHID.exesvchost.comexplorer.exesvchost.comexplorer.exeHID.exesvchost.comHID.exesvchost.comsvchost.comHID.exeexplorer.exeexplorer.exesvchost.comHID.exesvchost.comexplorer.exesvchost.comexplorer.exeHID.exesvchost.comHID.exesvchost.comsvchost.comHID.exeexplorer.exeexplorer.exesvchost.com

pid	Process
2716	HID.exe
2612	HID.exe
2596	svchost.com
2660	explorer.exe
3068	svchost.com
320	HID.exe
608	explorer.exe
1308	svchost.com
2192	HID.exe
2804	svchost.com
1644	explorer.exe
2120	svchost.com
2960	HID.exe
2780	explorer.exe
2568	svchost.com
1660	HID.exe
2452	svchost.com
3004	svchost.com
2476	HID.exe
2432	explorer.exe
552	explorer.exe
1600	svchost.com
908	HID.exe
3020	svchost.com
1976	svchost.com
1844	explorer.exe
1740	explorer.exe
1284	HID.exe
1704	svchost.com
2032	HID.exe
1164	svchost.com
1700	svchost.com
952	HID.exe
560	explorer.exe
2508	explorer.exe
3040	svchost.com
2368	HID.exe
888	svchost.com
2408	explorer.exe
2724	svchost.com
2636	explorer.exe
1728	HID.exe
2492	svchost.com
2028	HID.exe
2924	svchost.com
2572	svchost.com
1648	HID.exe
2120	explorer.exe
2960	explorer.exe
2220	svchost.com
1184	HID.exe
2240	svchost.com
1080	explorer.exe
948	svchost.com
1048	explorer.exe
1480	HID.exe
988	svchost.com
1292	HID.exe
2424	svchost.com
1284	svchost.com
2668	HID.exe
896	explorer.exe
2380	explorer.exe
2012	svchost.com

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

Virtualization/Sandbox Evasion

Processes:

HID.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Wine	HID.exe

Loads dropped DLL 64 IoCs

Processes:

af27c5ab9e64db813ad6a8636af0462f5323eca30c67fef5d9f0a1e684658a9b.exeHID.exesvchost.comsvchost.comexplorer.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comexplorer.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comexplorer.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.com

pid	Process
2856	af27c5ab9e64db813ad6a8636af0462f5323eca30c67fef5d9f0a1e684658a9b.exe
2856	af27c5ab9e64db813ad6a8636af0462f5323eca30c67fef5d9f0a1e684658a9b.exe
2716	HID.exe
2716	HID.exe
2596	svchost.com
3068	svchost.com
3068	svchost.com
2660	explorer.exe
1308	svchost.com
1308	svchost.com
2804	svchost.com
2120	svchost.com
2120	svchost.com
2568	svchost.com
2568	svchost.com
2452	svchost.com
2452	svchost.com
3004	svchost.com
1600	svchost.com
1600	svchost.com
3020	svchost.com
1976	svchost.com
1976	svchost.com
1704	svchost.com
1704	svchost.com
1164	svchost.com
1164	svchost.com
1700	svchost.com
3040	svchost.com
3040	svchost.com
888	svchost.com
2716	HID.exe
2408	explorer.exe
2724	svchost.com
2724	svchost.com
2492	svchost.com
2492	svchost.com
2924	svchost.com
2924	svchost.com
2572	svchost.com
2220	svchost.com
2220	svchost.com
2240	svchost.com
948	svchost.com
948	svchost.com
988	svchost.com
988	svchost.com
1284	svchost.com
1284	svchost.com
2424	svchost.com
896	explorer.exe
2012	svchost.com
2012	svchost.com
2776	svchost.com
1840	svchost.com
1840	svchost.com
2348	svchost.com
2348	svchost.com
2856	svchost.com
2856	svchost.com
2740	svchost.com
2536	svchost.com
2536	svchost.com
1020	svchost.com

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

Processes:

HID.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	HID.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

HID.exe

pid	Process
1520	HID.exe

Drops file in Program Files directory 64 IoCs

Processes:

HID.exesvchost.com

description	ioc	Process
File opened for modification	C:\PROGRA~3\PACKAG~1\{EF6B0~1\VCREDI~1.EXE	HID.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\ACCICONS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOUC.EXE	HID.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DWTRIG20.EXE	HID.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Resource\Icons\SC_REA~1.EXE	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\ODeploy.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\VSTO\10.0\VSTOIN~1.EXE	HID.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{33D1F~1\VCREDI~1.EXE	HID.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\WMPDMC.exe	HID.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\ink\mip.exe	HID.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOF5E2~1.EXE	HID.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\setup_wm.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\SOURCE~1\OSE.EXE	HID.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\INFOPATH.EXE	HID.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\OIS.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\misc.exe	HID.exe
File opened for modification	C:\PROGRA~2\WI4223~1\sidebar.exe	HID.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{CA675~1\VCREDI~1.EXE	HID.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\LOGTRA~1.EXE	HID.exe
File opened for modification	C:\PROGRA~2\COMMON~1\Adobe\Updater6\ADOBEU~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\GRAPH.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSQRY32.EXE	HID.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\SELFCERT.EXE	HID.exe
File opened for modification	C:\PROGRA~2\WINDOW~4\ImagingDevices.exe	HID.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\FLTLDR.EXE	HID.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\OFFICE~1\Setup.exe	HID.exe
File opened for modification	C:\PROGRA~2\INTERN~1\iexplore.exe	svchost.com
File opened for modification	C:\PROGRA~3\PACKAG~1\{61087~1\VCREDI~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\EQUATION\EQNEDT32.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\LICLUA.EXE	HID.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\IECONT~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\SETUPF~1\{AC76B~1\Setup.exe	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	HID.exe
File opened for modification	C:\PROGRA~3\PACKAG~1\{57A73~1\VC_RED~1.EXE	HID.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\BCSSync.exe	HID.exe
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	HID.exe
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	HID.exe
File opened for modification	C:\PROGRA~2\INTERN~1\ieinstal.exe	svchost.com
File opened for modification	C:\PROGRA~2\INTERN~1\ielowutil.exe	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\CLVIEW.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\MSOHTMED.EXE	HID.exe
File opened for modification	C:\PROGRA~2\MOZILL~1\MAINTE~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WI54FB~1\wmprph.exe	HID.exe
File opened for modification	C:\PROGRA~2\WI54FB~1\wmpconfig.exe	svchost.com
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ADOBEC~1.EXE	HID.exe
File opened for modification	C:\PROGRA~2\COMMON~1\ADOBEA~1\Versions\1.0\ADOBEA~1.EXE	HID.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\DW\DW20.EXE	svchost.com
File opened for modification	C:\PROGRA~2\WINDOW~1\WinMail.exe	HID.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOXMLED.EXE	HID.exe
File opened for modification	C:\PROGRA~2\Google\Update\1336~1.151\GOBD5D~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\MSInfo\msinfo32.exe	HID.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\OFFICE14\MSOICONS.EXE	HID.exe
File opened for modification	C:\PROGRA~2\COMMON~1\MICROS~1\TextConv\WksConv\Wkconv.exe	svchost.com
File opened for modification	C:\PROGRA~2\Google\Update\DISABL~1.EXE	svchost.com
File opened for modification	C:\PROGRA~2\MICROS~1\Office14\WINWORD.EXE	HID.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\ACROBR~1.EXE	HID.exe
File opened for modification	C:\PROGRA~2\Adobe\READER~1.0\Reader\AcroRd32.exe	svchost.com

Drops file in Windows directory 64 IoCs

Processes:

svchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comHID.exesvchost.comsvchost.comsvchost.comHID.exeHID.exesvchost.comsvchost.comsvchost.comHID.exesvchost.comsvchost.comsvchost.comHID.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comHID.exesvchost.comsvchost.comHID.exesvchost.comsvchost.comsvchost.comHID.exesvchost.comsvchost.comsvchost.comHID.exesvchost.comsvchost.comHID.exesvchost.comsvchost.comsvchost.comHID.exesvchost.comHID.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comHID.exeHID.exesvchost.comHID.exesvchost.comHID.exe

description	ioc	Process
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	HID.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	HID.exe
File opened for modification	C:\Windows\svchost.com	HID.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	HID.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	HID.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	HID.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	HID.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	HID.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	HID.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	HID.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	HID.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	HID.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\directx.sys	HID.exe
File opened for modification	C:\Windows\svchost.com	HID.exe
File opened for modification	C:\Windows\directx.sys	svchost.com
File opened for modification	C:\Windows\svchost.com	HID.exe
File opened for modification	C:\Windows\svchost.com	svchost.com
File opened for modification	C:\Windows\svchost.com	HID.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

svchost.comsvchost.comexplorer.exeHID.exeHID.exesvchost.comsvchost.comHID.exeHID.exeHID.exeHID.exeHID.exeHID.exeHID.exesvchost.comsvchost.comsvchost.comexplorer.exesvchost.comexplorer.exesvchost.comHID.exesvchost.comHID.exesvchost.comexplorer.exeHID.exeHID.exeHID.exesvchost.comsvchost.comsvchost.comexplorer.exesvchost.comsvchost.comsvchost.comsvchost.comsvchost.comsvchost.comHID.exeHID.exesvchost.comsvchost.comHID.exeexplorer.exeHID.exesvchost.comHID.exeHID.exeexplorer.exesvchost.comHID.exesvchost.comexplorer.exesvchost.comsvchost.comHID.exeHID.exeHID.exesvchost.comHID.exesvchost.comHID.exeHID.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HID.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

Processes:

HID.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CentralProcessor\0\	HID.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	HID.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

Processes:

HID.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\BIOS\	HID.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct	HID.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\	HID.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosDate	HID.exe

Modifies registry class 1 IoCs

Processes:

HID.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\open\command\ = "C:\\Windows\\svchost.com \"%1\" %*"	HID.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

HID.exe

pid	Process
1520	HID.exe
1520	HID.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

HID.exe

description	pid	Process
Token: SeDebugPrivilege	1520	HID.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

HID.exe

pid	Process
1520	HID.exe
1520	HID.exe
1520	HID.exe
1520	HID.exe
1520	HID.exe
1520	HID.exe
1520	HID.exe
1520	HID.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

af27c5ab9e64db813ad6a8636af0462f5323eca30c67fef5d9f0a1e684658a9b.exeHID.exeHID.exesvchost.comsvchost.comexplorer.exeHID.exesvchost.comHID.exesvchost.comsvchost.comexplorer.exeHID.exesvchost.com

description	pid	Process	procid_target
PID 2856 wrote to memory of 2716	2856	af27c5ab9e64db813ad6a8636af0462f5323eca30c67fef5d9f0a1e684658a9b.exe	30
PID 2856 wrote to memory of 2716	2856	af27c5ab9e64db813ad6a8636af0462f5323eca30c67fef5d9f0a1e684658a9b.exe	30
PID 2856 wrote to memory of 2716	2856	af27c5ab9e64db813ad6a8636af0462f5323eca30c67fef5d9f0a1e684658a9b.exe	30
PID 2856 wrote to memory of 2716	2856	af27c5ab9e64db813ad6a8636af0462f5323eca30c67fef5d9f0a1e684658a9b.exe	30
PID 2716 wrote to memory of 2612	2716	HID.exe	31
PID 2716 wrote to memory of 2612	2716	HID.exe	31
PID 2716 wrote to memory of 2612	2716	HID.exe	31
PID 2716 wrote to memory of 2612	2716	HID.exe	31
PID 2612 wrote to memory of 2596	2612	HID.exe	32
PID 2612 wrote to memory of 2596	2612	HID.exe	32
PID 2612 wrote to memory of 2596	2612	HID.exe	32
PID 2612 wrote to memory of 2596	2612	HID.exe	32
PID 2596 wrote to memory of 2660	2596	svchost.com	113
PID 2596 wrote to memory of 2660	2596	svchost.com	113
PID 2596 wrote to memory of 2660	2596	svchost.com	113
PID 2596 wrote to memory of 2660	2596	svchost.com	113
PID 2612 wrote to memory of 3068	2612	HID.exe	34
PID 2612 wrote to memory of 3068	2612	HID.exe	34
PID 2612 wrote to memory of 3068	2612	HID.exe	34
PID 2612 wrote to memory of 3068	2612	HID.exe	34
PID 3068 wrote to memory of 320	3068	svchost.com	35
PID 3068 wrote to memory of 320	3068	svchost.com	35
PID 3068 wrote to memory of 320	3068	svchost.com	35
PID 3068 wrote to memory of 320	3068	svchost.com	35
PID 2660 wrote to memory of 608	2660	explorer.exe	99
PID 2660 wrote to memory of 608	2660	explorer.exe	99
PID 2660 wrote to memory of 608	2660	explorer.exe	99
PID 2660 wrote to memory of 608	2660	explorer.exe	99
PID 320 wrote to memory of 1308	320	HID.exe	117
PID 320 wrote to memory of 1308	320	HID.exe	117
PID 320 wrote to memory of 1308	320	HID.exe	117
PID 320 wrote to memory of 1308	320	HID.exe	117
PID 1308 wrote to memory of 2192	1308	svchost.com	38
PID 1308 wrote to memory of 2192	1308	svchost.com	38
PID 1308 wrote to memory of 2192	1308	svchost.com	38
PID 1308 wrote to memory of 2192	1308	svchost.com	38
PID 2192 wrote to memory of 2804	2192	HID.exe	39
PID 2192 wrote to memory of 2804	2192	HID.exe	39
PID 2192 wrote to memory of 2804	2192	HID.exe	39
PID 2192 wrote to memory of 2804	2192	HID.exe	39
PID 2804 wrote to memory of 1644	2804	svchost.com	40
PID 2804 wrote to memory of 1644	2804	svchost.com	40
PID 2804 wrote to memory of 1644	2804	svchost.com	40
PID 2804 wrote to memory of 1644	2804	svchost.com	40
PID 2192 wrote to memory of 2120	2192	HID.exe	120
PID 2192 wrote to memory of 2120	2192	HID.exe	120
PID 2192 wrote to memory of 2120	2192	HID.exe	120
PID 2192 wrote to memory of 2120	2192	HID.exe	120
PID 2120 wrote to memory of 2960	2120	svchost.com	169
PID 2120 wrote to memory of 2960	2120	svchost.com	169
PID 2120 wrote to memory of 2960	2120	svchost.com	169
PID 2120 wrote to memory of 2960	2120	svchost.com	169
PID 1644 wrote to memory of 2780	1644	explorer.exe	43
PID 1644 wrote to memory of 2780	1644	explorer.exe	43
PID 1644 wrote to memory of 2780	1644	explorer.exe	43
PID 1644 wrote to memory of 2780	1644	explorer.exe	43
PID 2960 wrote to memory of 2568	2960	HID.exe	44
PID 2960 wrote to memory of 2568	2960	HID.exe	44
PID 2960 wrote to memory of 2568	2960	HID.exe	44
PID 2960 wrote to memory of 2568	2960	HID.exe	44
PID 2568 wrote to memory of 1660	2568	svchost.com	45
PID 2568 wrote to memory of 1660	2568	svchost.com	45
PID 2568 wrote to memory of 1660	2568	svchost.com	45
PID 2568 wrote to memory of 1660	2568	svchost.com	45

C:\Users\Admin\AppData\Local\Temp\af27c5ab9e64db813ad6a8636af0462f5323eca30c67fef5d9f0a1e684658a9b.exe
"C:\Users\Admin\AppData\Local\Temp\af27c5ab9e64db813ad6a8636af0462f5323eca30c67fef5d9f0a1e684658a9b.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\HID.exe
  "C:\Users\Admin\AppData\Local\Temp\HID.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Modifies system executable filetype association
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
    "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2660
      - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        6⤵
        Executes dropped EXE
        
        PID:608
  - - C:\Windows\svchost.com
      "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:320
      - C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        9⤵
        Drops startup file
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        10⤵
        Executes dropped EXE
        
        PID:2780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        Suspicious use of WriteProcessMemory
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        11⤵
        Executes dropped EXE
        
        PID:1660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        13⤵
        Drops startup file
        Executes dropped EXE
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        14⤵
        Executes dropped EXE
        
        PID:552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2452
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        13⤵
        Executes dropped EXE
        
        PID:2476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        15⤵
        Executes dropped EXE
        
        PID:908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        17⤵
        Executes dropped EXE
        
        PID:1844
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        18⤵
        Executes dropped EXE
        
        PID:1740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:1704
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        19⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1700
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        21⤵
        Executes dropped EXE
        
        PID:560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        22⤵
        Executes dropped EXE
        
        PID:2508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1164
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        21⤵
        Executes dropped EXE
        
        PID:952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        23⤵
        Executes dropped EXE
        
        PID:2368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:888
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        25⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2408
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        26⤵
        Executes dropped EXE
        
        PID:2636
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        24⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        25⤵
        Executes dropped EXE
        
        PID:1728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        26⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        27⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        29⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        30⤵
        Executes dropped EXE
        
        PID:2960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        28⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        29⤵
        Executes dropped EXE
        
        PID:1648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        30⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2220
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        31⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2240
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        33⤵
        Drops startup file
        Executes dropped EXE
        
        PID:1080
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        34⤵
        Executes dropped EXE
        
        PID:1048
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        32⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:948
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        33⤵
        Executes dropped EXE
        
        PID:1480
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        34⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        35⤵
        Executes dropped EXE
        
        PID:1292
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        37⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        
        PID:896
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2380
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        36⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        37⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        38⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        39⤵
        
        PID:2144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        40⤵
        Loads dropped DLL
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        41⤵
        
        PID:2000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        42⤵
        
        PID:608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        40⤵
        Loads dropped DLL
        
        PID:1840
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        41⤵
        
        PID:1612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        42⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        43⤵
        
        PID:2280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        44⤵
        Loads dropped DLL
        
        PID:2740
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        45⤵
        
        PID:2696
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        46⤵
        Drops startup file
        
        PID:2456
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        44⤵
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:2856
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        45⤵
        
        PID:2828
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        46⤵
        Loads dropped DLL
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        47⤵
        System Location Discovery: System Language Discovery
        
        PID:2512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        48⤵
        Loads dropped DLL
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        49⤵
        Drops startup file
        
        PID:2320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        50⤵
        
        PID:1608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        48⤵
        
        PID:580
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        49⤵
        
        PID:2660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        50⤵
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        51⤵
        
        PID:2672
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        52⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        53⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        54⤵
        
        PID:2120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        52⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        53⤵
        
        PID:2056
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        54⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        55⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        56⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        57⤵
        Drops startup file
        
        PID:2064
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        58⤵
        
        PID:2220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        56⤵
        Drops file in Windows directory
        
        PID:1932
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        57⤵
        
        PID:1148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        58⤵
        
        PID:3020
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        59⤵
        
        PID:2360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        60⤵
        Drops file in Windows directory
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        61⤵
        Drops startup file
        
        PID:3056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        62⤵
        
        PID:2284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        60⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        61⤵
        
        PID:2420
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        62⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        63⤵
        
        PID:1300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        64⤵
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        65⤵
        Drops startup file
        
        PID:560
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        66⤵
        
        PID:1504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        64⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        65⤵
        
        PID:1836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        66⤵
        
        PID:840
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        67⤵
        
        PID:2092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        68⤵
        Drops file in Windows directory
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        69⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        70⤵
        
        PID:2836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        68⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        69⤵
        
        PID:1576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        70⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        71⤵
        
        PID:2888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        72⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        73⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        74⤵
        
        PID:2740
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        72⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        73⤵
        
        PID:1368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        74⤵
        
        PID:2336
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        75⤵
        
        PID:2704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        77⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        78⤵
        
        PID:2708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        76⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        77⤵
        
        PID:1744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        78⤵
        
        PID:2928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        79⤵
        
        PID:2784
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        80⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        81⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        82⤵
        
        PID:2960
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        80⤵
        Drops file in Windows directory
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        82⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        83⤵
        
        PID:1796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        84⤵
        
        PID:2224
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        85⤵
        Drops startup file
        
        PID:2252
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        86⤵
        
        PID:1948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        84⤵
        
        PID:1464
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        85⤵
        
        PID:408
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        86⤵
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        87⤵
        
        PID:948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        88⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        89⤵
        
        PID:320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        90⤵
        
        PID:2468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        88⤵
        
        PID:3056
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        89⤵
        
        PID:296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        90⤵
        System Location Discovery: System Language Discovery
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        91⤵
        
        PID:844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        92⤵
        
        PID:1580
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        93⤵
        Drops startup file
        
        PID:1128
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        94⤵
        
        PID:1440
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        92⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        93⤵
        
        PID:1836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        94⤵
        Drops file in Windows directory
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        95⤵
        
        PID:1220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        96⤵
        
        PID:1200
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        97⤵
        Drops startup file
        
        PID:1612
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        98⤵
        
        PID:1576
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        96⤵
        Drops file in Windows directory
        
        PID:1564
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        97⤵
        Drops file in Windows directory
        
        PID:2496
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        98⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        99⤵
        
        PID:2888
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        100⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        101⤵
        Drops startup file
        
        PID:2920
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        102⤵
        
        PID:2648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        100⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        101⤵
        
        PID:2904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        102⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        103⤵
        
        PID:1728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        104⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        105⤵
        Drops startup file
        
        PID:1288
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        106⤵
        
        PID:2128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        104⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        105⤵
        
        PID:2344
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        106⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        107⤵
        
        PID:2572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        108⤵
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        109⤵
        
        PID:2772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        110⤵
        
        PID:2564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        108⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        109⤵
        Drops file in Windows directory
        
        PID:1648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        110⤵
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        111⤵
        
        PID:2268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        112⤵
        Drops file in Windows directory
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        113⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        114⤵
        
        PID:2004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        112⤵
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        113⤵
        Drops file in Windows directory
        
        PID:1932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        114⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        115⤵
        
        PID:1508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        116⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        117⤵
        
        PID:1064
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        118⤵
        
        PID:296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        116⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        117⤵
        
        PID:1060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        118⤵
        Drops file in Windows directory
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        119⤵
        
        PID:2548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        120⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        121⤵
        Drops startup file
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        122⤵
        
        PID:1968
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        120⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        121⤵
        Drops file in Windows directory
        
        PID:2260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        122⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        123⤵
        
        PID:1220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        124⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        125⤵
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        126⤵
        
        PID:2104
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        124⤵
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        125⤵
        
        PID:2100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        126⤵
        
        PID:2632
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        127⤵
        
        PID:484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        128⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        129⤵
        Drops startup file
        
        PID:2704
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        130⤵
        
        PID:3060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        128⤵
        
        PID:1620
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        129⤵
        
        PID:1696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        130⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        131⤵
        
        PID:2660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        132⤵
        Drops file in Windows directory
        
        PID:1824
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        133⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        134⤵
        
        PID:2332
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        132⤵
        
        PID:2944
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        133⤵
        Drops file in Windows directory
        
        PID:2328
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        134⤵
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        135⤵
        
        PID:1772
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        136⤵
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        137⤵
        Drops startup file
        
        PID:2884
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        138⤵
        
        PID:1676
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        136⤵
        Drops file in Windows directory
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        137⤵
        
        PID:2240
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        138⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        139⤵
        
        PID:684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        140⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        141⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1080
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        142⤵
        
        PID:2476
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        141⤵
        
        PID:2004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        142⤵
        Drops file in Windows directory
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        143⤵
        
        PID:1720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        144⤵
        Drops file in Windows directory
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        145⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        146⤵
        
        PID:844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        144⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        145⤵
        System Location Discovery: System Language Discovery
        
        PID:2168
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        147⤵
        
        PID:2340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        148⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        149⤵
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        150⤵
        
        PID:2552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        148⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        149⤵
        
        PID:2736
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        150⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        151⤵
        
        PID:3000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        152⤵
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        153⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        154⤵
        
        PID:2308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        152⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        153⤵
        
        PID:2200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        154⤵
        Drops file in Windows directory
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        155⤵
        
        PID:1924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        157⤵
        Drops startup file
        
        PID:1728
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        158⤵
        
        PID:2068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        156⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        157⤵
        Drops file in Windows directory
        
        PID:2652
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        158⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        159⤵
        
        PID:2028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        160⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        162⤵
        
        PID:2780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        160⤵
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        161⤵
        
        PID:3016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        162⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        163⤵
        
        PID:2936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        164⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        165⤵
        
        PID:408
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        166⤵
        
        PID:804
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        164⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        165⤵
        
        PID:1912
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        166⤵
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        167⤵
        System Location Discovery: System Language Discovery
        
        PID:1932
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        168⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        169⤵
        Drops startup file
        
        PID:1936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        170⤵
        
        PID:1508
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        168⤵
        Drops file in Windows directory
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        169⤵
        
        PID:1972
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        170⤵
        Drops file in Windows directory
        
        PID:1300
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        171⤵
        
        PID:1580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        172⤵
        
        PID:1440
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        173⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        174⤵
        
        PID:340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        172⤵
        Drops file in Windows directory
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        173⤵
        
        PID:2444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        174⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        175⤵
        
        PID:1840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        176⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        177⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        178⤵
        
        PID:2696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        176⤵
        System Location Discovery: System Language Discovery
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        178⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        179⤵
        
        PID:1724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        180⤵
        Drops file in Windows directory
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        181⤵
        Drops startup file
        
        PID:2336
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        182⤵
        
        PID:880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        180⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        182⤵
        
        PID:2076
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        183⤵
        
        PID:2068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        184⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        185⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        186⤵
        
        PID:1744
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        184⤵
        
        PID:2792
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        185⤵
        
        PID:1144
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        186⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        187⤵
        
        PID:3004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        188⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        189⤵
        Drops startup file
        
        PID:2944
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        190⤵
        
        PID:3016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        188⤵
        
        PID:2324
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        189⤵
        
        PID:2244
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        190⤵
        Drops file in Windows directory
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        191⤵
        
        PID:1948
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        192⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        193⤵
        
        PID:948
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        194⤵
        
        PID:1080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        192⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        193⤵
        
        PID:1356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        194⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        195⤵
        
        PID:1936
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        196⤵
        Drops file in Windows directory
        
        PID:1848
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        197⤵
        Drops startup file
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        198⤵
        
        PID:2040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        196⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        197⤵
        System Location Discovery: System Language Discovery
        
        PID:2032
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        198⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        199⤵
        
        PID:592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        200⤵
        
        PID:1836
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        201⤵
        Drops startup file
        
        PID:1372
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        202⤵
        
        PID:2404
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        200⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        201⤵
        
        PID:1716
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        202⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        203⤵
        
        PID:2776
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        205⤵
        Drops startup file
        
        PID:2868
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        206⤵
        
        PID:2612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        204⤵
        Drops file in Windows directory
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        205⤵
        
        PID:2228
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        206⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        207⤵
        
        PID:2200
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        208⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        209⤵
        Drops startup file
        
        PID:2256
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        210⤵
        
        PID:2704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        208⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        209⤵
        System Location Discovery: System Language Discovery
        
        PID:2640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        210⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        211⤵
        System Location Discovery: System Language Discovery
        
        PID:2128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        212⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        213⤵
        Drops startup file
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        214⤵
        
        PID:2660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        212⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        213⤵
        
        PID:1512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        214⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        215⤵
        
        PID:2720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        216⤵
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        217⤵
        Drops startup file
        
        PID:2484
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        218⤵
        
        PID:1648
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        216⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        217⤵
        
        PID:2924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        218⤵
        
        PID:2252
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        219⤵
        
        PID:1688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        220⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        221⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        222⤵
        
        PID:3068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        220⤵
        
        PID:1148
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        221⤵
        
        PID:1080
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        222⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        223⤵
        
        PID:296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        224⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        225⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        226⤵
        
        PID:2040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        224⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        225⤵
        
        PID:1732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        226⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        227⤵
        
        PID:568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        228⤵
        Drops file in Windows directory
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        229⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        230⤵
        
        PID:1428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        228⤵
        Drops file in Windows directory
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        229⤵
        System Location Discovery: System Language Discovery
        
        PID:1656
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        230⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        231⤵
        
        PID:2180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        232⤵
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        233⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        234⤵
        
        PID:2580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        232⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        233⤵
        
        PID:3000
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        234⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        235⤵
        
        PID:2520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        236⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        237⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        238⤵
        
        PID:2756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        236⤵
        Drops file in Windows directory
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        237⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        238⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        239⤵
        
        PID:1644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        240⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        241⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        242⤵
        
        PID:2880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        240⤵
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        241⤵
        
        PID:2128
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        242⤵
        Drops file in Windows directory
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        243⤵
        
        PID:1940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        244⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        245⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        246⤵
        
        PID:2720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        244⤵
        
        PID:2064
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        245⤵
        
        PID:2796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        246⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        247⤵
        
        PID:2680
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        248⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        249⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        250⤵
        
        PID:2980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        248⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        249⤵
        
        PID:1688
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        250⤵
        Drops file in Windows directory
        
        PID:1080
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        251⤵
        
        PID:1704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        252⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        253⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        254⤵
        
        PID:1300
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        252⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        253⤵
        Drops file in Windows directory
        
        PID:528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        254⤵
        
        PID:752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        255⤵
        
        PID:1836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        256⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        257⤵
        Drops startup file
        
        PID:2328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        258⤵
        
        PID:2940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        256⤵
        
        PID:568
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        257⤵
        
        PID:376
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        258⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        259⤵
        
        PID:1760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        260⤵
        Drops file in Windows directory
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        261⤵
        
        PID:608
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        262⤵
        
        PID:2052
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        260⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        261⤵
        
        PID:2996
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        262⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        263⤵
        
        PID:2100
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        264⤵
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        265⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        266⤵
        
        PID:2256
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        264⤵
        
        PID:1424
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        265⤵
        
        PID:1516
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        266⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        267⤵
        
        PID:1696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        268⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        269⤵
        Drops startup file
        
        PID:1824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        270⤵
        
        PID:2192
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        268⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        269⤵
        Drops file in Windows directory
        
        PID:1592
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        270⤵
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        271⤵
        
        PID:2484
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        272⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        273⤵
        Drops startup file
        
        PID:2220
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        274⤵
        
        PID:1796
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        272⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        273⤵
        
        PID:2120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        274⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2360
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        275⤵
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        276⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        277⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        278⤵
        
        PID:1844
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        276⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        277⤵
        
        PID:1148
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        278⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        279⤵
        
        PID:268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        280⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        281⤵
        Drops startup file
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        282⤵
        
        PID:1660
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        280⤵
        
        PID:1284
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        281⤵
        
        PID:1164
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        282⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        283⤵
        
        PID:1836
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        284⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        285⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        286⤵
        
        PID:1904
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        284⤵
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        285⤵
        
        PID:2552
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        286⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        287⤵
        
        PID:2180
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        288⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        289⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        290⤵
        
        PID:2856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        288⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        289⤵
        Drops file in Windows directory
        
        PID:2916
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        290⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        291⤵
        
        PID:2588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        292⤵
        
        PID:484
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        293⤵
        
        PID:300
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        294⤵
        
        PID:548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        292⤵
        
        PID:3060
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        293⤵
        
        PID:2640
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        294⤵
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        295⤵
        
        PID:1696
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        296⤵
        
        PID:2536
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        297⤵
        Drops startup file
        
        PID:2960
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        298⤵
        
        PID:1528
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        296⤵
        Drops file in Windows directory
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        297⤵
        
        PID:2028
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        298⤵
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        299⤵
        
        PID:2448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        300⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        301⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1796
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        302⤵
        
        PID:2120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        300⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        301⤵
        
        PID:3004
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        302⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        303⤵
        
        PID:2360
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        304⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        305⤵
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        306⤵
        
        PID:1720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        304⤵
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        305⤵
        System Location Discovery: System Language Discovery
        
        PID:2684
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        306⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        307⤵
        
        PID:1704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        308⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        309⤵
        Drops startup file
        
        PID:2032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        310⤵
        
        PID:1284
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        308⤵
        
        PID:2524
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        309⤵
        Drops file in Windows directory
        
        PID:2424
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        310⤵
        Drops file in Windows directory
        
        PID:952
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        311⤵
        
        PID:2504
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        312⤵
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        313⤵
        Drops startup file
        
        PID:1836
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        314⤵
        
        PID:2396
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        312⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        313⤵
        Drops file in Windows directory
        
        PID:1572
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        314⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        315⤵
        
        PID:2260
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        316⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        317⤵
        Drops startup file
        
        PID:1564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        318⤵
        
        PID:1464
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        316⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1220
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        317⤵
        
        PID:2956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        318⤵
        
        PID:1752
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        319⤵
        
        PID:2704
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        320⤵
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        321⤵
        Drops startup file
        
        PID:1516
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        322⤵
        
        PID:2272
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        320⤵
        Drops file in Windows directory
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        321⤵
        
        PID:2520
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        322⤵
        
        PID:2060
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        323⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        324⤵
        Drops file in Windows directory
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        325⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        326⤵
        
        PID:1308
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        324⤵
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        325⤵
        Drops file in Windows directory
        
        PID:2884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        326⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        327⤵
        System Location Discovery: System Language Discovery
        
        PID:2220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        328⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        329⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        330⤵
        
        PID:788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        328⤵
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        329⤵
        
        PID:2432
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        330⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        331⤵
        
        PID:3068
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        332⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        333⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        334⤵
        
        PID:1356
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        332⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        333⤵
        
        PID:1588
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        334⤵
        
        PID:268
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        335⤵
        
        PID:2428
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        336⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        337⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        338⤵
        
        PID:2264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        336⤵
        
        PID:296
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        337⤵
        Drops file in Windows directory
        
        PID:2524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        338⤵
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        339⤵
        
        PID:1732
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        340⤵
        System Location Discovery: System Language Discovery
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        341⤵
        Drops startup file
        
        PID:2388
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        342⤵
        
        PID:2580
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        340⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        341⤵
        
        PID:2444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        342⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        343⤵
        
        PID:2840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        344⤵
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        345⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        346⤵
        
        PID:2812
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        344⤵
        Drops file in Windows directory
        
        PID:2776
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        345⤵
        
        PID:2608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        346⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        347⤵
        
        PID:1752
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        348⤵
        System Location Discovery: System Language Discovery
        
        PID:300
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        349⤵
        Drops startup file
        
        PID:2472
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        350⤵
        
        PID:1964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        348⤵
        
        PID:1516
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        349⤵
        
        PID:1728
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        350⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        351⤵
        System Location Discovery: System Language Discovery
        
        PID:1944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        352⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        353⤵
        Drops startup file
        
        PID:2128
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        354⤵
        
        PID:2568
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        352⤵
        Drops file in Windows directory
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        353⤵
        
        PID:3016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        354⤵
        
        PID:2572
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        355⤵
        
        PID:2220
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        356⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        357⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        358⤵
        
        PID:1756
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        356⤵
        
        PID:2448
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        357⤵
        
        PID:2120
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        358⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        359⤵
        System Location Discovery: System Language Discovery
        
        PID:2468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        360⤵
        
        PID:2284
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        361⤵
        
        PID:1356
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        362⤵
        
        PID:1060
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        360⤵
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        361⤵
        
        PID:1692
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        362⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        363⤵
        
        PID:1700
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        364⤵
        
        PID:2264
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        365⤵
        Drops startup file
        
        PID:1284
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        366⤵
        
        PID:2940
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        364⤵
        
        PID:908
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        365⤵
        
        PID:900
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        366⤵
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        367⤵
        
        PID:2092
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        368⤵
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        369⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        370⤵
        
        PID:2856
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        368⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        369⤵
        
        PID:608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        370⤵
        
        PID:1568
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        371⤵
        
        PID:1564
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        372⤵
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        373⤵
        
        PID:2704
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        374⤵
        
        PID:1368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        372⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        373⤵
        
        PID:2608
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        374⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        375⤵
        
        PID:1964
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        376⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        377⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:2192
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        378⤵
        
        PID:2792
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        376⤵
        
        PID:1832
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        377⤵
        
        PID:2780
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        378⤵
        
        PID:1144
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        379⤵
        System Location Discovery: System Language Discovery
        
        PID:2880
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        380⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        381⤵
        
        PID:2492
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        382⤵
        
        PID:2884
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        380⤵
        System Location Discovery: System Language Discovery
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        381⤵
        
        PID:3008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        382⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        383⤵
        
        PID:2252
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        384⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        385⤵
        Drops startup file
        
        PID:2480
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        386⤵
        
        PID:2448
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        384⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:1996
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        385⤵
        
        PID:956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        386⤵
        
        PID:2476
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        387⤵
        
        PID:1848
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        388⤵
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        389⤵
        Drops startup file
        
        PID:1080
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        390⤵
        
        PID:268
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        388⤵
        Drops file in Windows directory
        
        PID:1060
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        389⤵
        Drops file in Windows directory
        
        PID:1468
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        390⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        391⤵
        System Location Discovery: System Language Discovery
        
        PID:840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        392⤵
        System Location Discovery: System Language Discovery
        
        PID:528
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        393⤵
        
        PID:1320
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        394⤵
        
        PID:2340
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        392⤵
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        393⤵
        
        PID:2664
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        394⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        395⤵
        
        PID:1532
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        396⤵
        
        PID:2612
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        397⤵
        Drops startup file
        
        PID:2712
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        398⤵
        
        PID:2584
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        396⤵
        
        PID:1760
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        397⤵
        
        PID:2280
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        398⤵
        System Location Discovery: System Language Discovery
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        399⤵
        
        PID:1560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        400⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        401⤵
        Drops startup file
        
        PID:580
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        402⤵
        
        PID:536
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        400⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        401⤵
        
        PID:1644
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        402⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        403⤵
        
        PID:1724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        404⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        405⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        406⤵
        
        PID:1944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        404⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        405⤵
        System Location Discovery: System Language Discovery
        
        PID:1020
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        406⤵
        
        PID:1528
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        407⤵
        
        PID:3016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        408⤵
        
        PID:2028
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        409⤵
        
        PID:2464
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        410⤵
        
        PID:2944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        408⤵
        System Location Discovery: System Language Discovery
        
        PID:788
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        409⤵
        
        PID:2016
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        410⤵
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        411⤵
        
        PID:2980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        412⤵
        
        PID:3068
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        413⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        414⤵
        
        PID:2952
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        412⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        413⤵
        
        PID:2232
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        414⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        415⤵
        
        PID:2040
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        416⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        417⤵
        
        PID:2404
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        418⤵
        
        PID:2524
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        416⤵
        
        PID:844
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        417⤵
        
        PID:2412
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        418⤵
        
        PID:1292
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        419⤵
        
        PID:296
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        420⤵
        Drops file in Windows directory
        
        PID:900
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        421⤵
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        422⤵
        
        PID:2444
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        420⤵
        
        PID:2388
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        421⤵
        
        PID:2908
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        422⤵
        Drops file in Windows directory
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        423⤵
        
        PID:2612
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        424⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        425⤵
        Drops startup file
        
        PID:2308
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        426⤵
        
        PID:1840
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        424⤵
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        425⤵
        Drops file in Windows directory
        System Location Discovery: System Language Discovery
        
        PID:2724
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        426⤵
        System Location Discovery: System Language Discovery
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        427⤵
        
        PID:1560
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        428⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        429⤵
        Drops startup file
        
        PID:2136
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        430⤵
        
        PID:2788
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        428⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        429⤵
        Drops file in Windows directory
        
        PID:1924
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        430⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        431⤵
        
        PID:1596
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        432⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        433⤵
        
        PID:1624
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        434⤵
        
        PID:2368
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        432⤵
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        433⤵
        
        PID:2720
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        434⤵
        
        PID:2880
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        435⤵
        
        PID:1512
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        436⤵
        
        PID:1188
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        437⤵
        Drops startup file
        
        PID:2220
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        438⤵
        
        PID:1184
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        436⤵
        
        PID:2884
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        437⤵
        System Location Discovery: System Language Discovery
        
        PID:2944
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        438⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        439⤵
        
        PID:3008
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        440⤵
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        441⤵
        
        PID:468
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        442⤵
        
        PID:956
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        440⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        441⤵
        
        PID:2980
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe"
        442⤵
        
        PID:988
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\3582-490\HID.exe
        443⤵
        
        PID:2548
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\explorer.exe"
        444⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        
        C:\Users\Admin\AppData\Local\Temp\explorer.exe
        445⤵
        Drops startup file
        
        PID:2328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorer.exe"
        446⤵
        
        PID:2264
        
        C:\Windows\svchost.com
        
        "C:\Windows\svchost.com" "C:\Users\Admin\AppData\Local\Temp\HID.exe"
        444⤵
        System Location Discovery: System Language Discovery
        
        PID:1844
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        
        C:\Users\Admin\AppData\Local\Temp\HID.exe
        445⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Identifies Wine through registry keys
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1520

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2168

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:1716

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
1⤵
PID:956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Virtualization/Sandbox Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

System Information Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion