dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2022 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
Size

233KB
MD5

064c205aceec74832921f2db4eb657ed
SHA1

fec7b2603aa0719ef7cf4432578f1722579c254c
SHA256

dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85
SHA512

4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Score

10^/10

discovery evasion persistence suricata upx

Malware Config

Signatures

Modifies firewall policy service 2 TTPs 4 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe:*:enabled:@shell32.dll,-1"	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe

suricata: ET MALWARE Known Hostile Domain ant.trenz .pl Lookup
suricata: ET MALWARE Known Hostile Domain ant.trenz .pl Lookup
suricata
suricata: ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup
suricata: ET MALWARE Known Hostile Domain ilo.brenz .pl Lookup
suricata

Executes dropped EXE 64 IoCs

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

pid	process
4300	svchost.exe
836	svchost.exe
216	svchost.exe
4924	svchost.exe
1012	svchost.exe
888	svchost.exe
480	svchost.exe
4116	svchost.exe
5068	svchost.exe
1876	svchost.exe
1844	svchost.exe
1164	svchost.exe
3616	svchost.exe
1600	svchost.exe
3036	svchost.exe
5000	svchost.exe
3276	svchost.exe
5012	svchost.exe
3772	svchost.exe
3184	svchost.exe
2220	svchost.exe
480	svchost.exe
4908	svchost.exe
2776	svchost.exe
3460	svchost.exe
5056	svchost.exe
2292	svchost.exe
368	svchost.exe
4936	svchost.exe
2988	svchost.exe
4560	svchost.exe
1336	svchost.exe
2308	svchost.exe
2860	svchost.exe
4780	svchost.exe
2212	svchost.exe
4184	svchost.exe
2932	svchost.exe
332	svchost.exe
900	svchost.exe
5028	svchost.exe
2224	svchost.exe
4456	svchost.exe
3748	svchost.exe
4988	svchost.exe
3492	svchost.exe
4804	svchost.exe
3084	svchost.exe
4916	svchost.exe
1508	svchost.exe
3676	svchost.exe
3992	svchost.exe
4980	svchost.exe
4304	svchost.exe
836	svchost.exe
1460	svchost.exe
4764	svchost.exe
4988	svchost.exe
3752	svchost.exe
4640	svchost.exe
4880	svchost.exe
920	svchost.exe
1776	svchost.exe
4236	svchost.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2412-130-0x0000000000400000-0x0000000000489000-memory.dmp	upx
C:\Windows\svchost.exe	upx
C:\Windows\svchost.exe	upx
behavioral2/memory/4300-139-0x0000000000400000-0x0000000000489000-memory.dmp	upx
C:\Windows\svchost.exe	upx
behavioral2/memory/2412-145-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral2/memory/836-146-0x0000000000400000-0x0000000000489000-memory.dmp	upx
C:\Windows\svchost.exe	upx
behavioral2/memory/216-153-0x0000000000400000-0x0000000000489000-memory.dmp	upx
C:\Windows\svchost.exe	upx
behavioral2/memory/4924-159-0x0000000000400000-0x0000000000489000-memory.dmp	upx
C:\Windows\svchost.exe	upx
behavioral2/memory/1012-165-0x0000000000400000-0x0000000000489000-memory.dmp	upx
C:\Windows\svchost.exe	upx
behavioral2/memory/888-168-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral2/memory/888-173-0x0000000000400000-0x0000000000489000-memory.dmp	upx
C:\Windows\svchost.exe	upx
behavioral2/memory/480-178-0x0000000000400000-0x0000000000489000-memory.dmp	upx
C:\Windows\svchost.exe	upx
behavioral2/memory/4116-184-0x0000000000400000-0x0000000000489000-memory.dmp	upx
C:\Windows\svchost.exe	upx
behavioral2/memory/5068-190-0x0000000000400000-0x0000000000489000-memory.dmp	upx
C:\Windows\svchost.exe	upx
behavioral2/memory/1876-196-0x0000000000400000-0x0000000000489000-memory.dmp	upx
C:\Windows\svchost.exe	upx
behavioral2/memory/1844-202-0x0000000000400000-0x0000000000489000-memory.dmp	upx
C:\Windows\svchost.exe	upx
behavioral2/memory/1164-209-0x0000000000400000-0x0000000000489000-memory.dmp	upx
C:\Windows\svchost.exe	upx
behavioral2/memory/3616-213-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral2/memory/3616-218-0x0000000000400000-0x0000000000489000-memory.dmp	upx
C:\Windows\svchost.exe	upx
behavioral2/memory/1600-220-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral2/memory/1600-226-0x0000000000400000-0x0000000000489000-memory.dmp	upx
C:\Windows\svchost.exe	upx
behavioral2/memory/3036-233-0x0000000000400000-0x0000000000489000-memory.dmp	upx
C:\Windows\svchost.exe	upx
behavioral2/memory/5000-240-0x0000000000400000-0x0000000000489000-memory.dmp	upx
C:\Windows\svchost.exe	upx
behavioral2/memory/3276-247-0x0000000000400000-0x0000000000489000-memory.dmp	upx
C:\Windows\svchost.exe	upx
behavioral2/memory/5012-254-0x0000000000400000-0x0000000000489000-memory.dmp	upx
C:\Windows\svchost.exe	upx
behavioral2/memory/3772-261-0x0000000000400000-0x0000000000489000-memory.dmp	upx
C:\Windows\svchost.exe	upx
behavioral2/memory/3184-268-0x0000000000400000-0x0000000000489000-memory.dmp	upx
C:\Windows\svchost.exe	upx
behavioral2/memory/2220-272-0x0000000000400000-0x0000000000489000-memory.dmp	upx
behavioral2/memory/2220-277-0x0000000000400000-0x0000000000489000-memory.dmp	upx
C:\Windows\svchost.exe	upx
behavioral2/memory/480-283-0x0000000000400000-0x0000000000489000-memory.dmp	upx
C:\Windows\svchost.exe	upx
C:\Windows\svchost.exe	upx
C:\Windows\svchost.exe	upx
C:\Windows\svchost.exe	upx
C:\Windows\svchost.exe	upx
C:\Windows\svchost.exe	upx
C:\Windows\svchost.exe	upx
C:\Windows\svchost.exe	upx
C:\Windows\svchost.exe	upx
C:\Windows\svchost.exe	upx
C:\Windows\svchost.exe	upx
C:\Windows\svchost.exe	upx
C:\Windows\svchost.exe	upx

Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
discovery

Network Service Scanning
T1046

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe

description	ioc	process
File opened (read-only)	\??\E:	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
File opened (read-only)	\??\J:	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
File opened (read-only)	\??\N:	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
File opened (read-only)	\??\Y:	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
File opened (read-only)	\??\Z:	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
File opened (read-only)	\??\R:	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
File opened (read-only)	\??\U:	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
File opened (read-only)	\??\F:	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
File opened (read-only)	\??\I:	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
File opened (read-only)	\??\K:	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
File opened (read-only)	\??\L:	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
File opened (read-only)	\??\P:	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
File opened (read-only)	\??\Q:	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
File opened (read-only)	\??\H:	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
File opened (read-only)	\??\M:	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
File opened (read-only)	\??\T:	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
File opened (read-only)	\??\W:	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
File opened (read-only)	\??\X:	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
File opened (read-only)	\??\G:	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
File opened (read-only)	\??\O:	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
File opened (read-only)	\??\S:	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
File opened (read-only)	\??\V:	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe

Creates a Windows Service
persistence

Drops file in Windows directory 2 IoCs

Processes:

dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe

description	ioc	process
File created	C:\Windows\svchost.exe	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
File opened for modification	C:\Windows\svchost.exe	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe

Program crash 64 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1420	4300	WerFault.exe	svchost.exe
2028	836	WerFault.exe	svchost.exe
4736	216	WerFault.exe	svchost.exe
2364	4924	WerFault.exe	svchost.exe
884	1012	WerFault.exe	svchost.exe
2220	888	WerFault.exe	svchost.exe
1432	480	WerFault.exe	svchost.exe
544	4116	WerFault.exe	svchost.exe
4840	5068	WerFault.exe	svchost.exe
3192	1876	WerFault.exe	svchost.exe
948	1844	WerFault.exe	svchost.exe
4312	1164	WerFault.exe	svchost.exe
5076	3616	WerFault.exe	svchost.exe
3612	1600	WerFault.exe	svchost.exe
4328	3036	WerFault.exe	svchost.exe
2224	5000	WerFault.exe	svchost.exe
3344	3276	WerFault.exe	svchost.exe
1424	5012	WerFault.exe	svchost.exe
1252	3772	WerFault.exe	svchost.exe
2728	3184	WerFault.exe	svchost.exe
4780	2220	WerFault.exe	svchost.exe
3084	480	WerFault.exe	svchost.exe
520	4908	WerFault.exe	svchost.exe
3464	2776	WerFault.exe	svchost.exe
1632	3460	WerFault.exe	svchost.exe
3564	5056	WerFault.exe	svchost.exe
3816	2292	WerFault.exe	svchost.exe
3780	368	WerFault.exe	svchost.exe
4304	4936	WerFault.exe	svchost.exe
4828	2988	WerFault.exe	svchost.exe
4904	4560	WerFault.exe	svchost.exe
1252	1336	WerFault.exe	svchost.exe
1664	2308	WerFault.exe	svchost.exe
1752	2860	WerFault.exe	svchost.exe
3052	4780	WerFault.exe	svchost.exe
968	2212	WerFault.exe	svchost.exe
3076	4184	WerFault.exe	svchost.exe
3512	2932	WerFault.exe	svchost.exe
5056	332	WerFault.exe	svchost.exe
2380	900	WerFault.exe	svchost.exe
1324	5028	WerFault.exe	svchost.exe
3036	2224	WerFault.exe	svchost.exe
4828	4456	WerFault.exe	svchost.exe
4132	3748	WerFault.exe	svchost.exe
4376	4988	WerFault.exe	svchost.exe
3600	3492	WerFault.exe	svchost.exe
2408	4804	WerFault.exe	svchost.exe
4840	3084	WerFault.exe	svchost.exe
4704	4916	WerFault.exe	svchost.exe
1132	1508	WerFault.exe	svchost.exe
612	3676	WerFault.exe	svchost.exe
3100	3992	WerFault.exe	svchost.exe
368	4980	WerFault.exe	svchost.exe
1116	4304	WerFault.exe	svchost.exe
4464	836	WerFault.exe	svchost.exe
5012	1460	WerFault.exe	svchost.exe
4716	4764	WerFault.exe	svchost.exe
1712	4988	WerFault.exe	svchost.exe
3292	3752	WerFault.exe	svchost.exe
3084	4640	WerFault.exe	svchost.exe
4044	4880	WerFault.exe	svchost.exe
632	920	WerFault.exe	svchost.exe
3616	1776	WerFault.exe	svchost.exe
1144	4236	WerFault.exe	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

pid	process
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
4300	svchost.exe
4300	svchost.exe
836	svchost.exe
836	svchost.exe
216	svchost.exe
216	svchost.exe
4924	svchost.exe
4924	svchost.exe
1012	svchost.exe
1012	svchost.exe
888	svchost.exe
888	svchost.exe
480	svchost.exe
480	svchost.exe
4116	svchost.exe
4116	svchost.exe
5068	svchost.exe
5068	svchost.exe
1876	svchost.exe
1876	svchost.exe
1844	svchost.exe
1844	svchost.exe
1164	svchost.exe
1164	svchost.exe
3616	svchost.exe
3616	svchost.exe
1600	svchost.exe
1600	svchost.exe
3036	svchost.exe
3036	svchost.exe
5000	svchost.exe
5000	svchost.exe
3276	svchost.exe
3276	svchost.exe
5012	svchost.exe
5012	svchost.exe
3772	svchost.exe
3772	svchost.exe
3184	svchost.exe
3184	svchost.exe
2220	svchost.exe
2220	svchost.exe
480	svchost.exe
480	svchost.exe
4908	svchost.exe
4908	svchost.exe
2776	svchost.exe
2776	svchost.exe
3460	svchost.exe
3460	svchost.exe
5056	svchost.exe
5056	svchost.exe
2292	svchost.exe
2292	svchost.exe
368	svchost.exe
368	svchost.exe
4936	svchost.exe
4936	svchost.exe
2988	svchost.exe
2988	svchost.exe
4560	svchost.exe
4560	svchost.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe

pid	process
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe

pid process

2412 dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	pid	process
Token: SeDebugPrivilege	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
Token: SeDebugPrivilege	4300	svchost.exe
Token: SeDebugPrivilege	836	svchost.exe
Token: SeDebugPrivilege	216	svchost.exe
Token: SeDebugPrivilege	4924	svchost.exe
Token: SeDebugPrivilege	1012	svchost.exe
Token: SeDebugPrivilege	888	svchost.exe
Token: SeDebugPrivilege	480	svchost.exe
Token: SeDebugPrivilege	4116	svchost.exe
Token: SeDebugPrivilege	5068	svchost.exe
Token: SeDebugPrivilege	1876	svchost.exe
Token: SeDebugPrivilege	1844	svchost.exe
Token: SeDebugPrivilege	1164	svchost.exe
Token: SeDebugPrivilege	3616	svchost.exe
Token: SeDebugPrivilege	1600	svchost.exe
Token: SeDebugPrivilege	3036	svchost.exe
Token: SeDebugPrivilege	5000	svchost.exe
Token: SeDebugPrivilege	3276	svchost.exe
Token: SeDebugPrivilege	5012	svchost.exe
Token: SeDebugPrivilege	3772	svchost.exe
Token: SeDebugPrivilege	3184	svchost.exe
Token: SeDebugPrivilege	2220	svchost.exe
Token: SeDebugPrivilege	480	svchost.exe
Token: SeDebugPrivilege	4908	svchost.exe
Token: SeDebugPrivilege	2776	svchost.exe
Token: SeDebugPrivilege	3460	svchost.exe
Token: SeDebugPrivilege	5056	svchost.exe
Token: SeDebugPrivilege	2292	svchost.exe
Token: SeDebugPrivilege	368	svchost.exe
Token: SeDebugPrivilege	4936	svchost.exe
Token: SeDebugPrivilege	2988	svchost.exe
Token: SeDebugPrivilege	4560	svchost.exe
Token: SeDebugPrivilege	1336	svchost.exe
Token: SeDebugPrivilege	2308	svchost.exe
Token: SeDebugPrivilege	2860	svchost.exe
Token: SeDebugPrivilege	4780	svchost.exe
Token: SeDebugPrivilege	2212	svchost.exe
Token: SeDebugPrivilege	4184	svchost.exe
Token: SeDebugPrivilege	2932	svchost.exe
Token: SeDebugPrivilege	332	svchost.exe
Token: SeDebugPrivilege	900	svchost.exe
Token: SeDebugPrivilege	5028	svchost.exe
Token: SeDebugPrivilege	2224	svchost.exe
Token: SeDebugPrivilege	4456	svchost.exe
Token: SeDebugPrivilege	3748	svchost.exe
Token: SeDebugPrivilege	4988	svchost.exe
Token: SeDebugPrivilege	3492	svchost.exe
Token: SeDebugPrivilege	4804	svchost.exe
Token: SeDebugPrivilege	3084	svchost.exe
Token: SeDebugPrivilege	4916	svchost.exe
Token: SeDebugPrivilege	1508	svchost.exe
Token: SeDebugPrivilege	3676	svchost.exe
Token: SeDebugPrivilege	3992	svchost.exe
Token: SeDebugPrivilege	4980	svchost.exe
Token: SeDebugPrivilege	4304	svchost.exe
Token: SeDebugPrivilege	836	svchost.exe
Token: SeDebugPrivilege	1460	svchost.exe
Token: SeDebugPrivilege	4764	svchost.exe
Token: SeDebugPrivilege	4988	svchost.exe
Token: SeDebugPrivilege	3752	svchost.exe
Token: SeDebugPrivilege	4640	svchost.exe
Token: SeDebugPrivilege	4880	svchost.exe
Token: SeDebugPrivilege	920	svchost.exe
Token: SeDebugPrivilege	1776	svchost.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
4300	svchost.exe
836	svchost.exe
216	svchost.exe
4924	svchost.exe
1012	svchost.exe
888	svchost.exe
480	svchost.exe
4116	svchost.exe
5068	svchost.exe
1876	svchost.exe
1844	svchost.exe
1164	svchost.exe
3616	svchost.exe
1600	svchost.exe
3036	svchost.exe
5000	svchost.exe
3276	svchost.exe
5012	svchost.exe
3772	svchost.exe
3184	svchost.exe
2220	svchost.exe
480	svchost.exe
4908	svchost.exe
2776	svchost.exe
3460	svchost.exe
5056	svchost.exe
2292	svchost.exe
368	svchost.exe
4936	svchost.exe
2988	svchost.exe
4560	svchost.exe
1336	svchost.exe
2308	svchost.exe
2860	svchost.exe
4780	svchost.exe
2212	svchost.exe
4184	svchost.exe
2932	svchost.exe
332	svchost.exe
900	svchost.exe
5028	svchost.exe
2224	svchost.exe
4456	svchost.exe
3748	svchost.exe
4988	svchost.exe
3492	svchost.exe
4804	svchost.exe
3084	svchost.exe
4916	svchost.exe
1508	svchost.exe
3676	svchost.exe
3992	svchost.exe
4980	svchost.exe
4304	svchost.exe
836	svchost.exe
1460	svchost.exe
4764	svchost.exe
4988	svchost.exe
3752	svchost.exe
4640	svchost.exe
4880	svchost.exe
920	svchost.exe
1776	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe

description	pid	process	target process
PID 2412 wrote to memory of 592	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	winlogon.exe
PID 2412 wrote to memory of 592	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	winlogon.exe
PID 2412 wrote to memory of 592	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	winlogon.exe
PID 2412 wrote to memory of 592	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	winlogon.exe
PID 2412 wrote to memory of 592	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	winlogon.exe
PID 2412 wrote to memory of 592	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	winlogon.exe
PID 2412 wrote to memory of 676	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	lsass.exe
PID 2412 wrote to memory of 676	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	lsass.exe
PID 2412 wrote to memory of 676	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	lsass.exe
PID 2412 wrote to memory of 676	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	lsass.exe
PID 2412 wrote to memory of 676	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	lsass.exe
PID 2412 wrote to memory of 676	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	lsass.exe
PID 2412 wrote to memory of 784	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 784	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 784	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 784	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 784	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 784	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 792	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	fontdrvhost.exe
PID 2412 wrote to memory of 792	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	fontdrvhost.exe
PID 2412 wrote to memory of 792	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	fontdrvhost.exe
PID 2412 wrote to memory of 792	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	fontdrvhost.exe
PID 2412 wrote to memory of 792	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	fontdrvhost.exe
PID 2412 wrote to memory of 792	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	fontdrvhost.exe
PID 2412 wrote to memory of 800	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	fontdrvhost.exe
PID 2412 wrote to memory of 800	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	fontdrvhost.exe
PID 2412 wrote to memory of 800	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	fontdrvhost.exe
PID 2412 wrote to memory of 800	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	fontdrvhost.exe
PID 2412 wrote to memory of 800	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	fontdrvhost.exe
PID 2412 wrote to memory of 800	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	fontdrvhost.exe
PID 2412 wrote to memory of 904	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 904	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 904	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 904	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 904	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 904	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 956	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 956	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 956	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 956	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 956	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 956	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 60	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	dwm.exe
PID 2412 wrote to memory of 60	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	dwm.exe
PID 2412 wrote to memory of 60	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	dwm.exe
PID 2412 wrote to memory of 60	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	dwm.exe
PID 2412 wrote to memory of 60	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	dwm.exe
PID 2412 wrote to memory of 60	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	dwm.exe
PID 2412 wrote to memory of 428	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 428	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 428	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 428	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 428	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 428	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 692	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 692	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 692	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 692	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 692	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 692	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 636	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 636	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 636	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe
PID 2412 wrote to memory of 636	2412	dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe	svchost.exe

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:676

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:592

C:\Windows\system32\dwm.exe
"dwm.exe"
2⤵
PID:60

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
2⤵
PID:800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p
1⤵
PID:784

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3400

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
2⤵
PID:4044

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:1108

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
2⤵
PID:3148

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
2⤵
PID:1160

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe
2⤵
PID:5080

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:4160

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:3976

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
2⤵
PID:3720

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
2⤵
PID:3480

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
2⤵
PID:3332

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
2⤵
PID:3228

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM
1⤵
PID:956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
1⤵
PID:428

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts
1⤵
PID:692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p
1⤵
PID:636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
1⤵
PID:1084

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
2⤵
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s nsi
1⤵
PID:1440

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp
1⤵
PID:1528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache
1⤵
PID:1860

C:\Windows\System32\spoolsv.exe
C:\Windows\System32\spoolsv.exe
1⤵
PID:1000

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc
1⤵
PID:2072

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2452

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WerSvcGroup
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4300 -ip 4300
2⤵
PID:5016

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 836 -ip 836
2⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 216 -ip 216
2⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4924 -ip 4924
2⤵
PID:4920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1012 -ip 1012
2⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 888 -ip 888
2⤵
PID:2728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 480 -ip 480
2⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 4116 -ip 4116
2⤵
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 656 -p 5068 -ip 5068
2⤵
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1876 -ip 1876
2⤵
PID:1240

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1844 -ip 1844
2⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 684 -p 1164 -ip 1164
2⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 3616 -ip 3616
2⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 660 -p 1600 -ip 1600
2⤵
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 720 -p 3036 -ip 3036
2⤵
PID:1356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 716 -p 5000 -ip 5000
2⤵
PID:4064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 3276 -ip 3276
2⤵
PID:224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 708 -p 5012 -ip 5012
2⤵
PID:1328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 744 -p 3772 -ip 3772
2⤵
PID:4444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 752 -p 3184 -ip 3184
2⤵
PID:4224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 756 -p 2220 -ip 2220
2⤵
PID:1772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 480 -ip 480
2⤵
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 728 -p 4908 -ip 4908
2⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 2776 -ip 2776
2⤵
PID:1308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 780 -p 3460 -ip 3460
2⤵
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 5056 -ip 5056
2⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 2292 -ip 2292
2⤵
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 832 -p 368 -ip 368
2⤵
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 844 -p 4936 -ip 4936
2⤵
PID:1456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 2988 -ip 2988
2⤵
PID:1116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 4560 -ip 4560
2⤵
PID:704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 904 -p 1336 -ip 1336
2⤵
PID:5108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 916 -p 2308 -ip 2308
2⤵
PID:1712

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 2860 -ip 2860
2⤵
PID:2004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 4780 -ip 4780
2⤵
PID:2472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 940 -p 2212 -ip 2212
2⤵
PID:4840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 4184 -ip 4184
2⤵
PID:4824

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 2932 -ip 2932
2⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 332 -ip 332
2⤵
PID:2168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 900 -ip 900
2⤵
PID:2104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 5028 -ip 5028
2⤵
PID:2172

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 2224 -ip 2224
2⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 4456 -ip 4456
2⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 3748 -ip 3748
2⤵
PID:1424

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 4988 -ip 4988
2⤵
PID:1252

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 3492 -ip 3492
2⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 4804 -ip 4804
2⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 3084 -ip 3084
2⤵
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 4916 -ip 4916
2⤵
PID:3588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 1508 -ip 1508
2⤵
PID:1680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 3676 -ip 3676
2⤵
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 3992 -ip 3992
2⤵
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 4980 -ip 4980
2⤵
PID:3716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 4304 -ip 4304
2⤵
PID:1292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 836 -ip 836
2⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 1460 -ip 1460
2⤵
PID:4748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 4764 -ip 4764
2⤵
PID:3452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 4988 -ip 4988
2⤵
PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 3752 -ip 3752
2⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 4640 -ip 4640
2⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 4880 -ip 4880
2⤵
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 920 -ip 920
2⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 1776 -ip 1776
2⤵
PID:3188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 4236 -ip 4236
2⤵
PID:4588

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 1708 -ip 1708
2⤵
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 1288 -ip 1288
2⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 996 -p 4472 -ip 4472
2⤵
PID:4388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 3136 -ip 3136
2⤵
PID:1188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 4376 -ip 4376
2⤵
PID:884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 3596 -ip 3596
2⤵
PID:2764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 3292 -ip 3292
2⤵
PID:4648

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 2000 -ip 2000
2⤵
PID:1500

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 3988 -ip 3988
2⤵
PID:2040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 3620 -ip 3620
2⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 2476 -ip 2476
2⤵
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 1144 -ip 1144
2⤵
PID:1420

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 4872 -ip 4872
2⤵
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1020 -p 4320 -ip 4320
2⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 3896 -ip 3896
2⤵
PID:4496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 4808 -ip 4808
2⤵
PID:3568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 4988 -ip 4988
2⤵
PID:4776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 1644 -ip 1644
2⤵
PID:520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 1768 -ip 1768
2⤵
PID:1936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 3544 -ip 3544
2⤵
PID:4976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 4088 -ip 4088
2⤵
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 1104 -ip 1104
2⤵
PID:4336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 2288 -ip 2288
2⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 3660 -ip 3660
2⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 1288 -ip 1288
2⤵
PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 4732 -ip 4732
2⤵
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 1832 -ip 1832
2⤵
PID:3468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 4908 -ip 4908
2⤵
PID:456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 3160 -ip 3160
2⤵
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 2376 -ip 2376
2⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 4896 -ip 4896
2⤵
PID:1108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 868 -p 5028 -ip 5028
2⤵
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 2380 -ip 2380
2⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 4564 -ip 4564
2⤵
PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 1652 -ip 1652
2⤵
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 4804 -ip 4804
2⤵
PID:5116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 4476 -ip 4476
2⤵
PID:5104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 4832 -ip 4832
2⤵
PID:2304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 3436 -ip 3436
2⤵
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 952 -p 4932 -ip 4932
2⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 820 -ip 820
2⤵
PID:4752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 4560 -ip 4560
2⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 932 -ip 932
2⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 4660 -ip 4660
2⤵
PID:968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 4964 -ip 4964
2⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 4908 -ip 4908
2⤵
PID:1632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 3900 -ip 3900
2⤵
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1004 -p 644 -ip 644
2⤵
PID:4076

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 980 -p 4932 -ip 4932
2⤵
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 3700 -ip 3700
2⤵
PID:4672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 4528 -ip 4528
2⤵
PID:3132

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
1⤵
PID:4688

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
PID:4744

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -s W32Time
1⤵
PID:2228

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
1⤵
PID:2152

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc
1⤵
PID:4112

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc
1⤵
PID:812

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
1⤵
PID:4540

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2612

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2232

C:\Users\Admin\AppData\Local\Temp\dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe
"C:\Users\Admin\AppData\Local\Temp\dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85.exe"
2⤵
- Modifies firewall policy service
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
1⤵
PID:2680

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
1⤵
PID:2672

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks
1⤵
PID:2656

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
1⤵
PID:2628

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc
1⤵
PID:2572

C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe
"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service
1⤵
PID:2552

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent
1⤵
PID:2332

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
1⤵
PID:2324

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation
1⤵
PID:2092

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p
1⤵
PID:1660

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
1⤵
PID:1952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository
1⤵
PID:1896

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1868

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalService -p -s netprofm
1⤵
PID:1788

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p
1⤵
PID:1736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc
1⤵
PID:1692

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s FontCache
1⤵
PID:1624

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder
1⤵
PID:1612

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
1⤵
PID:1576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
1⤵
PID:1464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem
1⤵
PID:1448

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
1⤵
PID:1312

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog
1⤵
PID:1280

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
1⤵
PID:1216

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc
1⤵
PID:1208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc
1⤵
PID:1076

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService
1⤵
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k RPCSS -p
1⤵
PID:904

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:792

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 700
2⤵
- Program crash
PID:1420

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 672
2⤵
- Program crash
PID:2028

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 672
2⤵
- Program crash
PID:4736

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 676
2⤵
- Program crash
PID:2364

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1012 -s 672
2⤵
- Program crash
PID:884

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 888 -s 672
2⤵
- Program crash
PID:2220

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 672
2⤵
- Program crash
PID:1432

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4116

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4116 -s 672
2⤵
- Program crash
PID:544

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5068 -s 672
2⤵
- Program crash
PID:4840

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 684
2⤵
- Program crash
PID:3192

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1844 -s 672
2⤵
- Program crash
PID:948

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1164 -s 672
2⤵
- Program crash
PID:4312

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 696
2⤵
- Program crash
PID:5076

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 672
2⤵
- Program crash
PID:3612

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3036

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 692
2⤵
- Program crash
PID:4328

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 680
2⤵
- Program crash
PID:2224

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3276 -s 672
2⤵
- Program crash
PID:3344

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5012

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5012 -s 692
2⤵
- Program crash
PID:1424

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3772 -s 680
2⤵
- Program crash
PID:1252

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3184 -s 672
2⤵
- Program crash
PID:2728

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2220 -s 672
2⤵
- Program crash
PID:4780

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 480 -s 676
2⤵
- Program crash
PID:3084

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 672
2⤵
- Program crash
PID:520

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2776 -s 688
2⤵
- Program crash
PID:3464

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3460 -s 692
2⤵
- Program crash
PID:1632

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5056 -s 672
2⤵
- Program crash
PID:3564

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2292 -s 696
2⤵
- Program crash
PID:3816

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 680
2⤵
- Program crash
PID:3780

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4936 -s 672
2⤵
- Program crash
PID:4304

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 672
2⤵
- Program crash
PID:4828

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 672
2⤵
- Program crash
PID:4904

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1336 -s 688
2⤵
- Program crash
PID:1252

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2308 -s 692
2⤵
- Program crash
PID:1664

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2860

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 692
2⤵
- Program crash
PID:1752

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4780

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4780 -s 672
2⤵
- Program crash
PID:3052

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 672
2⤵
- Program crash
PID:968

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4184 -s 672
2⤵
- Program crash
PID:3076

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2932 -s 680
2⤵
- Program crash
PID:3512

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 332 -s 672
2⤵
- Program crash
PID:5056

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 900 -s 672
2⤵
- Program crash
PID:2380

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 688
2⤵
- Program crash
PID:1324

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2224

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 680
2⤵
- Program crash
PID:3036

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 692
2⤵
- Program crash
PID:4828

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3748 -s 688
2⤵
- Program crash
PID:4132

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 672
2⤵
- Program crash
PID:4376

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3492 -s 672
2⤵
- Program crash
PID:3600

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 684
2⤵
- Program crash
PID:2408

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 672
2⤵
- Program crash
PID:4840

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 676
2⤵
- Program crash
PID:4704

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1508

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1508 -s 672
2⤵
- Program crash
PID:1132

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3676 -s 672
2⤵
- Program crash
PID:612

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 672
2⤵
- Program crash
PID:3100

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4980

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 672
2⤵
- Program crash
PID:368

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4304

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 672
2⤵
- Program crash
PID:1116

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 836 -s 672
2⤵
- Program crash
PID:4464

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1460

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1460 -s 672
2⤵
- Program crash
PID:5012

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 692
2⤵
- Program crash
PID:4716

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 676
2⤵
- Program crash
PID:1712

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3752 -s 688
2⤵
- Program crash
PID:3292

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4640

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4640 -s 672
2⤵
- Program crash
PID:3084

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4880 -s 684
2⤵
- Program crash
PID:4044

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:920

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 672
2⤵
- Program crash
PID:632

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1776

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 672
2⤵
- Program crash
PID:3616

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
PID:4236

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4236 -s 672
2⤵
- Program crash
PID:1144

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1708 -s 672
2⤵
PID:2224

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 692
2⤵
PID:820

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 680
2⤵
PID:1424

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 672
2⤵
PID:3452

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 672
2⤵
PID:2160

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3596 -s 672
2⤵
PID:4776

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3292

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3292 -s 672
2⤵
PID:4908

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 672
2⤵
PID:1936

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3988 -s 676
2⤵
PID:632

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3620 -s 676
2⤵
PID:3616

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 672
2⤵
PID:3244

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1144

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 680
2⤵
PID:1292

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4872 -s 672
2⤵
PID:4456

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4320 -s 688
2⤵
PID:4748

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3896 -s 672
2⤵
PID:4644

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4808

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4808 -s 676
2⤵
PID:4620

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 672
2⤵
PID:2472

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 684
2⤵
PID:2860

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 672
2⤵
PID:4916

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3544

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 688
2⤵
PID:3188

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 676
2⤵
PID:3992

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1104

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1104 -s 692
2⤵
PID:224

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 672
2⤵
PID:2988

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3660 -s 692
2⤵
PID:4036

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1288 -s 672
2⤵
PID:4416

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 684
2⤵
PID:4660

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 688
2⤵
PID:2408

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 672
2⤵
PID:5104

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3160

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 672
2⤵
PID:4124

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 672
2⤵
PID:2980

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4896 -s 672
2⤵
PID:4140

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:5028

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5028 -s 672
2⤵
PID:2712

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:2380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 672
2⤵
PID:5012

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 672
2⤵
PID:4416

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 684
2⤵
PID:3420

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4804 -s 672
2⤵
PID:3856

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4476

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 684
2⤵
PID:2212

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4832 -s 688
2⤵
PID:3900

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 680
2⤵
PID:3328

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 672
2⤵
PID:900

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 672
2⤵
PID:5000

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4560

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4560 -s 696
2⤵
PID:2380

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 932 -s 684
2⤵
PID:1712

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4660 -s 672
2⤵
PID:2408

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4964

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4964 -s 672
2⤵
PID:4308

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4908

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4908 -s 672
2⤵
PID:3564

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 672
2⤵
PID:4260

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 644 -s 692
2⤵
PID:3816

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4932 -s 672
2⤵
PID:2356

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:3700

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3700 -s 672
2⤵
PID:952

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 672
2⤵
PID:4652

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Scanning

T1046

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
C:\Windows\svchost.exe
Filesize
233KB

MD5
064c205aceec74832921f2db4eb657ed

SHA1
fec7b2603aa0719ef7cf4432578f1722579c254c

SHA256
dc637d75ac17a06ceb0e5ce8ec7d8bf914a23b8e46f0d0f5a1480307f36a8b85

SHA512
4a38a929539eef7119965cbda537f17f56c05c2e98bc6ad4e24be869e3811551447988d751643eda6cebc88622b9b5b9178c5f940fa55e85a08b9843b8fafe1f

Download Submit
memory/216-153-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/480-178-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/480-283-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/836-146-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/888-173-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/888-168-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1012-165-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1164-209-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1600-220-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1600-226-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1844-202-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/1876-196-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2220-272-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2220-277-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2412-191-0x000000007FDB0000-0x000000007FDBC000-memory.dmp

Filesize
48KB

Download
memory/2412-222-0x000000007FD70000-0x000000007FD7C000-memory.dmp

Filesize
48KB

Download
memory/2412-269-0x000000007FD00000-0x000000007FD0C000-memory.dmp

Filesize
48KB

Download
memory/2412-276-0x000000007FCF0000-0x000000007FCFC000-memory.dmp

Filesize
48KB

Download
memory/2412-131-0x0000000010000000-0x000000001000A000-memory.dmp

Filesize
40KB

Download
memory/2412-267-0x000000007FD90000-0x000000007FD9C000-memory.dmp

Filesize
48KB

Download
memory/2412-282-0x000000007FD70000-0x000000007FD7C000-memory.dmp

Filesize
48KB

Download
memory/2412-262-0x000000007FD10000-0x000000007FD1C000-memory.dmp

Filesize
48KB

Download
memory/2412-284-0x000000007FCE0000-0x000000007FCEC000-memory.dmp

Filesize
48KB

Download
memory/2412-140-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/2412-289-0x000000007FD60000-0x000000007FD6C000-memory.dmp

Filesize
48KB

Download
memory/2412-260-0x000000007FDA0000-0x000000007FDAC000-memory.dmp

Filesize
48KB

Download
memory/2412-255-0x000000007FD20000-0x000000007FD2C000-memory.dmp

Filesize
48KB

Download
memory/2412-145-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2412-253-0x000000007FDB0000-0x000000007FDBC000-memory.dmp

Filesize
48KB

Download
memory/2412-248-0x000000007FD30000-0x000000007FD3C000-memory.dmp

Filesize
48KB

Download
memory/2412-147-0x000000007FE20000-0x000000007FE2C000-memory.dmp

Filesize
48KB

Download
memory/2412-246-0x000000007FDC0000-0x000000007FDCC000-memory.dmp

Filesize
48KB

Download
memory/2412-241-0x000000007FD40000-0x000000007FD4C000-memory.dmp

Filesize
48KB

Download
memory/2412-152-0x000000007FE30000-0x000000007FE3C000-memory.dmp

Filesize
48KB

Download
memory/2412-239-0x000000007FDD0000-0x000000007FDDC000-memory.dmp

Filesize
48KB

Download
memory/2412-234-0x000000007FD50000-0x000000007FD5C000-memory.dmp

Filesize
48KB

Download
memory/2412-154-0x000000007FE10000-0x000000007FE1C000-memory.dmp

Filesize
48KB

Download
memory/2412-232-0x000000007FDE0000-0x000000007FDEC000-memory.dmp

Filesize
48KB

Download
memory/2412-227-0x000000007FD60000-0x000000007FD6C000-memory.dmp

Filesize
48KB

Download
memory/2412-271-0x000000007FD80000-0x000000007FD8C000-memory.dmp

Filesize
48KB

Download
memory/2412-221-0x000000007FDF0000-0x000000007FDFC000-memory.dmp

Filesize
48KB

Download
memory/2412-160-0x000000007FE00000-0x000000007FE0C000-memory.dmp

Filesize
48KB

Download
memory/2412-214-0x000000007FE00000-0x000000007FE0C000-memory.dmp

Filesize
48KB

Download
memory/2412-166-0x000000007FDF0000-0x000000007FDFC000-memory.dmp

Filesize
48KB

Download
memory/2412-211-0x000000007FD80000-0x000000007FD8C000-memory.dmp

Filesize
48KB

Download
memory/2412-210-0x000000007FE10000-0x000000007FE1C000-memory.dmp

Filesize
48KB

Download
memory/2412-204-0x000000007FD90000-0x000000007FD9C000-memory.dmp

Filesize
48KB

Download
memory/2412-203-0x000000007FE20000-0x000000007FE2C000-memory.dmp

Filesize
48KB

Download
memory/2412-197-0x000000007FDA0000-0x000000007FDAC000-memory.dmp

Filesize
48KB

Download
memory/2412-130-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/2412-172-0x000000007FDE0000-0x000000007FDEC000-memory.dmp

Filesize
48KB

Download
memory/2412-185-0x000000007FDC0000-0x000000007FDCC000-memory.dmp

Filesize
48KB

Download
memory/2412-179-0x000000007FDD0000-0x000000007FDDC000-memory.dmp

Filesize
48KB

Download
memory/3036-233-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3184-268-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3276-247-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3616-213-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3616-218-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/3772-261-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4116-184-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4300-139-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/4924-159-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/5000-240-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/5012-254-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download
memory/5068-190-0x0000000000400000-0x0000000000489000-memory.dmp

Filesize
548KB

Download