Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
147s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
30/11/2023, 02:41
Behavioral task
behavioral1
Sample
c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe
Resource
win7-20231020-en
General
-
Target
c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe
-
Size
3.0MB
-
MD5
4060530bf60f50e248e3d865761d9468
-
SHA1
407f6b210b125159d02637487323610b50c612ea
-
SHA256
c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921
-
SHA512
78bf9894a2824f7c67d67e3ac85a10e63447f8e945680af2da6c8d614c5ae8fbb94fddf24aa3f4c3ff6a99af3a83c297faabdca38dfe7b9d0e4cf0f9153dcd7a
-
SSDEEP
49152:B0CN8QFUwqYZeM9/ZzzBjMkPUayX82+YXAypQxb9ndo9JnCm4WncFf0I74gu38M:B10wGGzBjryX82uypSb9ndo9JCm
Malware Config
Extracted
orcus
Test
127.0.0.1:5050
92717e41854541ee91a4480e70a46c3f
-
autostart_method
Registry
-
enable_keylogger
true
-
install_path
C:\Windows\System32\svchosts.exe
-
reconnect_delay
10000
-
registry_keyname
svchostse
-
taskscheduler_taskname
svchostse
-
watchdog_path
Temp\svchostse.exe
Signatures
-
Orcurs Rat Executable 5 IoCs
resource yara_rule behavioral2/memory/1080-0-0x00000192BC5D0000-0x00000192BC8CC000-memory.dmp orcus behavioral2/files/0x0006000000023207-37.dat orcus behavioral2/files/0x0006000000023207-43.dat orcus behavioral2/files/0x0006000000023207-46.dat orcus behavioral2/files/0x0006000000023207-52.dat orcus -
Checks computer location settings 2 TTPs 64 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation svchostse.exe -
Executes dropped EXE 64 IoCs
pid Process 2040 WindowsInput.exe 3248 WindowsInput.exe 4752 svchosts.exe 456 svchosts.exe 2212 svchostse.exe 3136 svchostse.exe 2824 svchostse.exe 4024 svchostse.exe 1812 svchostse.exe 3980 svchostse.exe 3052 svchostse.exe 4680 svchostse.exe 3900 svchostse.exe 1116 svchostse.exe 772 svchostse.exe 2868 svchostse.exe 1916 svchostse.exe 436 svchostse.exe 4696 svchostse.exe 3944 svchostse.exe 5020 svchostse.exe 4300 svchostse.exe 4868 svchostse.exe 972 svchostse.exe 3356 svchostse.exe 1272 svchostse.exe 3684 svchostse.exe 1224 svchostse.exe 4280 svchostse.exe 2580 svchostse.exe 4060 svchostse.exe 496 svchostse.exe 924 svchostse.exe 1664 svchostse.exe 4444 svchostse.exe 4416 svchostse.exe 4400 svchostse.exe 968 svchostse.exe 2760 svchostse.exe 688 svchostse.exe 4500 svchostse.exe 4600 svchostse.exe 1532 svchostse.exe 2016 svchostse.exe 2040 svchostse.exe 2740 svchostse.exe 3976 svchostse.exe 492 svchostse.exe 4576 svchostse.exe 4776 svchostse.exe 456 svchostse.exe 3952 svchostse.exe 432 svchostse.exe 2808 svchostse.exe 688 svchostse.exe 2508 svchostse.exe 1116 svchostse.exe 1264 svchostse.exe 1788 svchostse.exe 4544 svchostse.exe 4424 svchostse.exe 3264 svchostse.exe 4524 svchostse.exe 2748 svchostse.exe -
Drops file in System32 directory 6 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsInput.exe c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe File created C:\Windows\SysWOW64\WindowsInput.exe.config c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe File created C:\Windows\SysWOW64\WindowsInput.InstallState WindowsInput.exe File created C:\Windows\System32\svchosts.exe c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe File opened for modification C:\Windows\System32\svchosts.exe c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe File created C:\Windows\System32\svchosts.exe.config c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 64 IoCs
pid pid_target Process procid_target 3892 3136 WerFault.exe 95 4304 4024 WerFault.exe 99 4828 3980 WerFault.exe 103 2024 4680 WerFault.exe 107 768 1116 WerFault.exe 111 3192 2868 WerFault.exe 115 1664 436 WerFault.exe 119 3784 3944 WerFault.exe 123 1852 4300 WerFault.exe 129 3508 972 WerFault.exe 133 4024 1272 WerFault.exe 137 1032 1224 WerFault.exe 141 5116 2580 WerFault.exe 145 492 496 WerFault.exe 149 4040 1664 WerFault.exe 153 3036 4416 WerFault.exe 157 1508 968 WerFault.exe 162 1148 688 WerFault.exe 166 1524 4600 WerFault.exe 170 4432 2016 WerFault.exe 174 5112 2740 WerFault.exe 178 3628 492 WerFault.exe 182 3944 4776 WerFault.exe 186 748 3952 WerFault.exe 190 4380 2808 WerFault.exe 194 4456 2508 WerFault.exe 198 1784 1264 WerFault.exe 202 3012 4544 WerFault.exe 206 5044 3264 WerFault.exe 210 1704 2748 WerFault.exe 214 4204 2856 WerFault.exe 218 3980 4028 WerFault.exe 222 4548 1904 WerFault.exe 226 4384 1624 WerFault.exe 230 2992 1332 WerFault.exe 234 2408 4744 WerFault.exe 238 2852 3264 WerFault.exe 242 4708 1652 WerFault.exe 246 760 2576 WerFault.exe 250 848 1868 WerFault.exe 254 4620 4972 WerFault.exe 258 2444 1268 WerFault.exe 262 640 1700 WerFault.exe 266 2752 4592 WerFault.exe 270 3136 216 WerFault.exe 274 3508 1452 WerFault.exe 278 728 760 WerFault.exe 282 4600 4692 WerFault.exe 286 2688 352 WerFault.exe 290 4232 2876 WerFault.exe 294 3752 1816 WerFault.exe 298 2772 1832 WerFault.exe 302 972 3944 WerFault.exe 306 1148 4368 WerFault.exe 310 1676 4200 WerFault.exe 314 4456 1524 WerFault.exe 318 3140 352 WerFault.exe 322 3312 2480 WerFault.exe 326 5080 1816 WerFault.exe 330 2420 1924 WerFault.exe 334 3212 1452 WerFault.exe 338 5000 1488 WerFault.exe 342 1792 452 WerFault.exe 346 4456 1612 WerFault.exe 350 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe 4752 svchosts.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4752 svchosts.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 4752 svchosts.exe Token: SeDebugPrivilege 2212 svchostse.exe Token: SeDebugPrivilege 2824 svchostse.exe Token: SeDebugPrivilege 1812 svchostse.exe Token: SeDebugPrivilege 3052 svchostse.exe Token: SeDebugPrivilege 3900 svchostse.exe Token: SeDebugPrivilege 772 svchostse.exe Token: SeDebugPrivilege 1916 svchostse.exe Token: SeDebugPrivilege 4696 svchostse.exe Token: SeDebugPrivilege 5020 svchostse.exe Token: SeDebugPrivilege 4868 svchostse.exe Token: SeDebugPrivilege 3356 svchostse.exe Token: SeDebugPrivilege 3684 svchostse.exe Token: SeDebugPrivilege 4280 svchostse.exe Token: SeDebugPrivilege 4060 svchostse.exe Token: SeDebugPrivilege 924 svchostse.exe Token: SeDebugPrivilege 4444 svchostse.exe Token: SeDebugPrivilege 4400 svchostse.exe Token: SeDebugPrivilege 2760 svchostse.exe Token: SeDebugPrivilege 4500 svchostse.exe Token: SeDebugPrivilege 1532 svchostse.exe Token: SeDebugPrivilege 2040 svchostse.exe Token: SeDebugPrivilege 3976 svchostse.exe Token: SeDebugPrivilege 4576 svchostse.exe Token: SeDebugPrivilege 456 svchostse.exe Token: SeDebugPrivilege 432 svchostse.exe Token: SeDebugPrivilege 688 svchostse.exe Token: SeDebugPrivilege 1116 svchostse.exe Token: SeDebugPrivilege 1788 svchostse.exe Token: SeDebugPrivilege 4424 svchostse.exe Token: SeDebugPrivilege 4524 svchostse.exe Token: SeDebugPrivilege 3460 svchostse.exe Token: SeDebugPrivilege 1936 svchostse.exe Token: SeDebugPrivilege 3544 svchostse.exe Token: SeDebugPrivilege 952 svchostse.exe Token: SeDebugPrivilege 4436 svchostse.exe Token: SeDebugPrivilege 1408 svchostse.exe Token: SeDebugPrivilege 5024 svchostse.exe Token: SeDebugPrivilege 1260 svchostse.exe Token: SeDebugPrivilege 4776 svchostse.exe Token: SeDebugPrivilege 4348 svchostse.exe Token: SeDebugPrivilege 4888 svchostse.exe Token: SeDebugPrivilege 2000 svchostse.exe Token: SeDebugPrivilege 1668 svchostse.exe Token: SeDebugPrivilege 4744 svchostse.exe Token: SeDebugPrivilege 2220 svchostse.exe Token: SeDebugPrivilege 2756 svchostse.exe Token: SeDebugPrivilege 4048 svchostse.exe Token: SeDebugPrivilege 4376 svchostse.exe Token: SeDebugPrivilege 4560 svchostse.exe Token: SeDebugPrivilege 1264 svchostse.exe Token: SeDebugPrivilege 1424 svchostse.exe Token: SeDebugPrivilege 3504 svchostse.exe Token: SeDebugPrivilege 3852 svchostse.exe Token: SeDebugPrivilege 4352 svchostse.exe Token: SeDebugPrivilege 4024 svchostse.exe Token: SeDebugPrivilege 2024 svchostse.exe Token: SeDebugPrivilege 4328 svchostse.exe Token: SeDebugPrivilege 4612 svchostse.exe Token: SeDebugPrivilege 1700 svchostse.exe Token: SeDebugPrivilege 3916 svchostse.exe Token: SeDebugPrivilege 2776 svchostse.exe Token: SeDebugPrivilege 5076 svchostse.exe Token: SeDebugPrivilege 2644 svchostse.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4752 svchosts.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1080 wrote to memory of 2040 1080 c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe 85 PID 1080 wrote to memory of 2040 1080 c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe 85 PID 1080 wrote to memory of 4752 1080 c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe 90 PID 1080 wrote to memory of 4752 1080 c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe 90 PID 4752 wrote to memory of 2212 4752 svchosts.exe 94 PID 4752 wrote to memory of 2212 4752 svchosts.exe 94 PID 4752 wrote to memory of 2212 4752 svchosts.exe 94 PID 2212 wrote to memory of 3136 2212 svchostse.exe 95 PID 2212 wrote to memory of 3136 2212 svchostse.exe 95 PID 2212 wrote to memory of 3136 2212 svchostse.exe 95 PID 4752 wrote to memory of 2824 4752 svchosts.exe 98 PID 4752 wrote to memory of 2824 4752 svchosts.exe 98 PID 4752 wrote to memory of 2824 4752 svchosts.exe 98 PID 2824 wrote to memory of 4024 2824 svchostse.exe 99 PID 2824 wrote to memory of 4024 2824 svchostse.exe 99 PID 2824 wrote to memory of 4024 2824 svchostse.exe 99 PID 4752 wrote to memory of 1812 4752 svchosts.exe 102 PID 4752 wrote to memory of 1812 4752 svchosts.exe 102 PID 4752 wrote to memory of 1812 4752 svchosts.exe 102 PID 1812 wrote to memory of 3980 1812 svchostse.exe 103 PID 1812 wrote to memory of 3980 1812 svchostse.exe 103 PID 1812 wrote to memory of 3980 1812 svchostse.exe 103 PID 4752 wrote to memory of 3052 4752 svchosts.exe 106 PID 4752 wrote to memory of 3052 4752 svchosts.exe 106 PID 4752 wrote to memory of 3052 4752 svchosts.exe 106 PID 3052 wrote to memory of 4680 3052 svchostse.exe 107 PID 3052 wrote to memory of 4680 3052 svchostse.exe 107 PID 3052 wrote to memory of 4680 3052 svchostse.exe 107 PID 4752 wrote to memory of 3900 4752 svchosts.exe 110 PID 4752 wrote to memory of 3900 4752 svchosts.exe 110 PID 4752 wrote to memory of 3900 4752 svchosts.exe 110 PID 3900 wrote to memory of 1116 3900 svchostse.exe 111 PID 3900 wrote to memory of 1116 3900 svchostse.exe 111 PID 3900 wrote to memory of 1116 3900 svchostse.exe 111 PID 4752 wrote to memory of 772 4752 svchosts.exe 114 PID 4752 wrote to memory of 772 4752 svchosts.exe 114 PID 4752 wrote to memory of 772 4752 svchosts.exe 114 PID 772 wrote to memory of 2868 772 svchostse.exe 115 PID 772 wrote to memory of 2868 772 svchostse.exe 115 PID 772 wrote to memory of 2868 772 svchostse.exe 115 PID 4752 wrote to memory of 1916 4752 svchosts.exe 118 PID 4752 wrote to memory of 1916 4752 svchosts.exe 118 PID 4752 wrote to memory of 1916 4752 svchosts.exe 118 PID 1916 wrote to memory of 436 1916 svchostse.exe 119 PID 1916 wrote to memory of 436 1916 svchostse.exe 119 PID 1916 wrote to memory of 436 1916 svchostse.exe 119 PID 4752 wrote to memory of 4696 4752 svchosts.exe 122 PID 4752 wrote to memory of 4696 4752 svchosts.exe 122 PID 4752 wrote to memory of 4696 4752 svchosts.exe 122 PID 4696 wrote to memory of 3944 4696 svchostse.exe 123 PID 4696 wrote to memory of 3944 4696 svchostse.exe 123 PID 4696 wrote to memory of 3944 4696 svchostse.exe 123 PID 4752 wrote to memory of 5020 4752 svchosts.exe 128 PID 4752 wrote to memory of 5020 4752 svchosts.exe 128 PID 4752 wrote to memory of 5020 4752 svchosts.exe 128 PID 5020 wrote to memory of 4300 5020 svchostse.exe 129 PID 5020 wrote to memory of 4300 5020 svchostse.exe 129 PID 5020 wrote to memory of 4300 5020 svchostse.exe 129 PID 4752 wrote to memory of 4868 4752 svchosts.exe 132 PID 4752 wrote to memory of 4868 4752 svchosts.exe 132 PID 4752 wrote to memory of 4868 4752 svchosts.exe 132 PID 4868 wrote to memory of 972 4868 svchostse.exe 133 PID 4868 wrote to memory of 972 4868 svchostse.exe 133 PID 4868 wrote to memory of 972 4868 svchostse.exe 133 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe"C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe"1⤵
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2040
-
-
C:\Windows\System32\svchosts.exe"C:\Windows\System32\svchosts.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2212 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:3136 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 8405⤵
- Program crash
PID:3892
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2824 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:4024 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 8405⤵
- Program crash
PID:4304
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:3980 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 8405⤵
- Program crash
PID:4828
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:4680 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 8405⤵
- Program crash
PID:2024
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3900 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:1116 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 8405⤵
- Program crash
PID:768
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:2868 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 8405⤵
- Program crash
PID:3192
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:436 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 8405⤵
- Program crash
PID:1664
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:3944 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 8405⤵
- Program crash
PID:3784
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5020 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:4300 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 8405⤵
- Program crash
PID:1852
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:972 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 8405⤵
- Program crash
PID:3508
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3356 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:1272 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 8405⤵
- Program crash
PID:4024
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3684 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:1224 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 8405⤵
- Program crash
PID:1032
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4280 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:2580 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 8405⤵
- Program crash
PID:5116
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4060 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:496 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 8405⤵
- Program crash
PID:492
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:924 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:1664 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 8405⤵
- Program crash
PID:4040
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4444 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:4416 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 8405⤵
- Program crash
PID:3036
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4400 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:968 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 8405⤵
- Program crash
PID:1508
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2760 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 8405⤵
- Program crash
PID:1148
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4500 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:4600 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 8405⤵
- Program crash
PID:1524
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1532 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:2016 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 8405⤵
- Program crash
PID:4432
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2040 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:2740 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 8405⤵
- Program crash
PID:5112
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3976 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:492 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 8405⤵
- Program crash
PID:3628
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4576 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:4776 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 8405⤵
- Program crash
PID:3944
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:456 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:3952 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 8405⤵
- Program crash
PID:748
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:432 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:2808 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 8405⤵
- Program crash
PID:4380
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:688 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:2508 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 8405⤵
- Program crash
PID:4456
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:1264 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 8405⤵
- Program crash
PID:1784
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:4544 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 8405⤵
- Program crash
PID:3012
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:3264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 8445⤵
- Program crash
PID:5044
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4524 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 8405⤵
- Program crash
PID:1704
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3460 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:2856
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 8405⤵
- Program crash
PID:4204
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1936 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:4028
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 8405⤵
- Program crash
PID:3980
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3544 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:1904
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 8405⤵
- Program crash
PID:4548
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:952 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:1624
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 8405⤵
- Program crash
PID:4384
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4436 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:1332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 8405⤵
- Program crash
PID:2992
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1408 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:4744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 8405⤵
- Program crash
PID:2408
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:5024 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵
- Executes dropped EXE
PID:3264 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 8445⤵
- Program crash
PID:2852
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:1652
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 8405⤵
- Program crash
PID:4708
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4776 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:2576
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 8405⤵
- Program crash
PID:760
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4348 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:1868
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 8405⤵
- Program crash
PID:848
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:4972
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 8405⤵
- Program crash
PID:4620
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2000 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:1268
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 8405⤵
- Program crash
PID:2444
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1668 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:1700
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 8405⤵
- Program crash
PID:640
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4744 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:4592
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 8405⤵
- Program crash
PID:2752
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2220 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 8405⤵
- Program crash
PID:3136
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2756 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:1452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 8405⤵
- Program crash
PID:3508
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4048 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 4045⤵
- Program crash
PID:728
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4376 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:4692
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 8405⤵
- Program crash
PID:4600
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:352
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 352 -s 8405⤵
- Program crash
PID:2688
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1264 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:2876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 8405⤵
- Program crash
PID:4232
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:1424 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:1816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 8405⤵
- Program crash
PID:3752
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3504 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:1832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 8405⤵
- Program crash
PID:2772
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3852 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:3944
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 8405⤵
- Program crash
PID:972
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4352 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:4368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 8405⤵
- Program crash
PID:1148
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4024 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:4200
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 8405⤵
- Program crash
PID:1676
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2024 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:1524
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 8445⤵
- Program crash
PID:4456
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:4328 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:352
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 352 -s 8405⤵
- Program crash
PID:3140
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4612 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:2480
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 8405⤵
- Program crash
PID:3312
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1700 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:1816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 8405⤵
- Program crash
PID:5080
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:3916 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:1924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 8405⤵
- Program crash
PID:2420
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:2776 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:1452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 8405⤵
- Program crash
PID:3212
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:1488
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 8445⤵
- Program crash
PID:5000
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 8405⤵
- Program crash
PID:1792
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵PID:3772
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:1612
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 8485⤵
- Program crash
PID:4456
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵PID:5100
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:1940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 8405⤵PID:3744
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵PID:468
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:5044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 8405⤵PID:2424
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵PID:4892
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:3540
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 8405⤵PID:3940
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵PID:4036
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:1924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 8445⤵PID:5032
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:1740 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:3840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 8405⤵PID:4368
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵PID:760
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:4304
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 8405⤵PID:1904
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:3088 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:5080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 8405⤵PID:548
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵PID:3708
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:2452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 8405⤵PID:4836
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:3272 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:4360
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 8405⤵PID:4600
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵PID:4496
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:3604
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 8405⤵PID:3596
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:1144
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 8405⤵PID:968
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵PID:1704
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:1580
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 8405⤵PID:1924
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵PID:4672
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:5000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 8405⤵PID:4300
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:4476 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:5112
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 8405⤵PID:1624
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵PID:4036
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:3900
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 8405⤵PID:5076
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:4048 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:1668
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 8405⤵PID:1244
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:3752 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:1416
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 8405⤵PID:5072
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵PID:4116
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:732
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 8405⤵PID:3192
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:2148 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:3012
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 8405⤵PID:492
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵PID:3540
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:1960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 8405⤵PID:5104
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵PID:1256
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 8405⤵PID:3880
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵PID:3556
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:4680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 8405⤵PID:4300
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵PID:4584
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:4600
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 8405⤵PID:4620
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:4432 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:4744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 8405⤵PID:3460
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵PID:2644
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 8405⤵PID:3972
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:4972 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:2264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 8405⤵PID:460
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:4456
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 8405⤵PID:3492
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:4148 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:3604
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 8405⤵PID:4708
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:4008
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 8405⤵PID:1432
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵PID:1124
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:3084
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 8405⤵PID:1556
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:5000 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:4680
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 8405⤵PID:2576
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:4300 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:2000
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 8405⤵PID:1936
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:3052 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:3852
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 8405⤵PID:4776
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵PID:2284
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:4604
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 8485⤵PID:5008
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:640 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:4836
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 8405⤵PID:1568
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:5056 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:3784
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 8405⤵PID:4172
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:3604 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:2512
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 8405⤵PID:1960
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:1580 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:4828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 8405⤵PID:1868
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:4788 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:3956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 8405⤵PID:4132
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵PID:1916
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:1116
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 8405⤵PID:5024
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:3356 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:4024
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 8405⤵PID:1812
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:3768 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:3732
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 8405⤵PID:1328
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵PID:1696
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:4940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 8405⤵PID:4176
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:748
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 8405⤵PID:3860
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:400 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:3840
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 8405⤵PID:4200
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵PID:1108
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:2812
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 8645⤵PID:3792
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:4840 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:1532
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 8405⤵PID:4468
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵
- Checks computer location settings
PID:3900 -
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:4892
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 8405⤵PID:1036
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵PID:4480
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 8405⤵PID:872
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵PID:4860
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:3744
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 8405⤵PID:3012
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵PID:2576
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"4⤵PID:1344
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 8405⤵PID:4384
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\svchostse.exe"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile3⤵PID:1836
-
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
PID:3248
-
C:\Windows\System32\svchosts.exeC:\Windows\System32\svchosts.exe1⤵
- Executes dropped EXE
PID:456
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3136 -ip 31361⤵PID:1964
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4024 -ip 40241⤵PID:4068
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3980 -ip 39801⤵PID:1508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4680 -ip 46801⤵PID:3684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1116 -ip 11161⤵PID:4392
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2868 -ip 28681⤵PID:5096
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 436 -ip 4361⤵PID:4764
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3944 -ip 39441⤵PID:1260
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4300 -ip 43001⤵PID:4580
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 972 -ip 9721⤵PID:4688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1272 -ip 12721⤵PID:1148
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1224 -ip 12241⤵PID:2644
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2580 -ip 25801⤵PID:1264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 496 -ip 4961⤵PID:2992
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1664 -ip 16641⤵PID:1828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4416 -ip 44161⤵PID:4364
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 968 -ip 9681⤵PID:1560
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 688 -ip 6881⤵PID:3544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4600 -ip 46001⤵PID:4972
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2016 -ip 20161⤵PID:1264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2740 -ip 27401⤵PID:4544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 492 -ip 4921⤵PID:4616
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4776 -ip 47761⤵PID:3784
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3952 -ip 39521⤵PID:4136
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2808 -ip 28081⤵PID:1148
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2508 -ip 25081⤵PID:3548
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1264 -ip 12641⤵PID:4584
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4544 -ip 45441⤵PID:3332
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3264 -ip 32641⤵PID:872
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2748 -ip 27481⤵PID:3628
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2856 -ip 28561⤵PID:1960
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4028 -ip 40281⤵PID:760
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1904 -ip 19041⤵PID:1248
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1624 -ip 16241⤵PID:3740
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1332 -ip 13321⤵PID:3140
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4744 -ip 47441⤵PID:2480
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3264 -ip 32641⤵PID:1156
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1652 -ip 16521⤵PID:5052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2576 -ip 25761⤵PID:3508
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1868 -ip 18681⤵PID:3880
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4972 -ip 49721⤵PID:3048
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1268 -ip 12681⤵PID:2904
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1700 -ip 17001⤵PID:3272
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4592 -ip 45921⤵PID:3916
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 216 -ip 2161⤵PID:492
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1452 -ip 14521⤵PID:3096
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 760 -ip 7601⤵PID:1148
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4692 -ip 46921⤵PID:1292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 352 -ip 3521⤵PID:3436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2876 -ip 28761⤵PID:468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1816 -ip 18161⤵PID:4832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1832 -ip 18321⤵PID:4908
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3944 -ip 39441⤵PID:4580
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4368 -ip 43681⤵PID:4828
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4200 -ip 42001⤵PID:4572
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1524 -ip 15241⤵PID:3044
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 352 -ip 3521⤵PID:460
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2480 -ip 24801⤵PID:4232
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1816 -ip 18161⤵PID:2148
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1924 -ip 19241⤵PID:3936
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1452 -ip 14521⤵PID:3952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1488 -ip 14881⤵PID:4368
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 452 -ip 4521⤵PID:2580
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1612 -ip 16121⤵PID:3708
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1940 -ip 19401⤵PID:4700
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5044 -ip 50441⤵PID:4472
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3540 -ip 35401⤵PID:3784
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1924 -ip 19241⤵PID:1256
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3840 -ip 38401⤵PID:4852
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4304 -ip 43041⤵PID:2012
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5080 -ip 50801⤵PID:4432
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2452 -ip 24521⤵PID:2080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4360 -ip 43601⤵PID:4860
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3604 -ip 36041⤵PID:4832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1144 -ip 11441⤵PID:216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1580 -ip 15801⤵PID:2652
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5000 -ip 50001⤵PID:4380
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5112 -ip 51121⤵PID:5064
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3900 -ip 39001⤵PID:4888
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1668 -ip 16681⤵PID:4424
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1416 -ip 14161⤵PID:2876
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 732 -ip 7321⤵PID:2648
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3012 -ip 30121⤵PID:816
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1960 -ip 19601⤵PID:3952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 548 -ip 5481⤵PID:5052
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4680 -ip 46801⤵PID:1292
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4600 -ip 46001⤵PID:1676
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4744 -ip 47441⤵PID:468
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 924 -ip 9241⤵PID:456
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2264 -ip 22641⤵PID:3216
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4456 -ip 44561⤵PID:2400
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3604 -ip 36041⤵PID:2420
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4008 -ip 40081⤵PID:2652
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3084 -ip 30841⤵PID:1924
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4680 -ip 46801⤵PID:768
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2000 -ip 20001⤵PID:3684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3852 -ip 38521⤵PID:4348
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4604 -ip 46041⤵PID:2424
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4836 -ip 48361⤵PID:452
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3784 -ip 37841⤵PID:1832
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2512 -ip 25121⤵PID:5104
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4828 -ip 48281⤵PID:3080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3956 -ip 39561⤵PID:2812
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1116 -ip 11161⤵PID:1424
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4024 -ip 40241⤵PID:1264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3732 -ip 37321⤵PID:436
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4940 -ip 49401⤵PID:4204
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 748 -ip 7481⤵PID:4708
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3840 -ip 38401⤵PID:2264
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2812 -ip 28121⤵PID:3956
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1532 -ip 15321⤵PID:3932
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4892 -ip 48921⤵PID:2408
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 436 -ip 4361⤵PID:4864
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3744 -ip 37441⤵PID:4940
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1344 -ip 13441⤵PID:3004
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
9KB
MD58ace06702ec59d170ca2b31f95812e0f
SHA1de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA5125d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5
-
Filesize
159B
MD5740dde6369b1c855ea2f8e171fa888c8
SHA1db3f1c7e5e4c087cf9eb02376fd750f1879f28f8
SHA256e03c480b46464159387618445ca9fd9870b53e092e2278837f2d5a54daf06cae
SHA512114607dcee4439e5e5c97ca986a65c8114a0e3f3c56f494ef6eaac9cb0f9ebf29b828aabc3100e4be197c94d54a7c26513942c56806bfb3bb0d3594ffef7458c
-
Filesize
21KB
MD5a80be96476032d2eaa901d180fe9fb73
SHA1f378d0bc5fefb9ea0b5006f020091ffcbcd7acec
SHA256d6075c1ed6f285f5de01ce0cc6a817b59054da8b19f20bc7081cfe7fb2b1af42
SHA512210c0c4c845b416a601015fba5ccd2a3e8a4b81d3b4c5e0491b07bd0dcad938d9b118728bb1abc21eb73c5f9263a3c08e1822ece91002a2d1f0983857f0192ea
-
Filesize
21KB
MD5a80be96476032d2eaa901d180fe9fb73
SHA1f378d0bc5fefb9ea0b5006f020091ffcbcd7acec
SHA256d6075c1ed6f285f5de01ce0cc6a817b59054da8b19f20bc7081cfe7fb2b1af42
SHA512210c0c4c845b416a601015fba5ccd2a3e8a4b81d3b4c5e0491b07bd0dcad938d9b118728bb1abc21eb73c5f9263a3c08e1822ece91002a2d1f0983857f0192ea
-
Filesize
21KB
MD5a80be96476032d2eaa901d180fe9fb73
SHA1f378d0bc5fefb9ea0b5006f020091ffcbcd7acec
SHA256d6075c1ed6f285f5de01ce0cc6a817b59054da8b19f20bc7081cfe7fb2b1af42
SHA512210c0c4c845b416a601015fba5ccd2a3e8a4b81d3b4c5e0491b07bd0dcad938d9b118728bb1abc21eb73c5f9263a3c08e1822ece91002a2d1f0983857f0192ea
-
Filesize
21KB
MD5a80be96476032d2eaa901d180fe9fb73
SHA1f378d0bc5fefb9ea0b5006f020091ffcbcd7acec
SHA256d6075c1ed6f285f5de01ce0cc6a817b59054da8b19f20bc7081cfe7fb2b1af42
SHA512210c0c4c845b416a601015fba5ccd2a3e8a4b81d3b4c5e0491b07bd0dcad938d9b118728bb1abc21eb73c5f9263a3c08e1822ece91002a2d1f0983857f0192ea
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
3.0MB
MD54060530bf60f50e248e3d865761d9468
SHA1407f6b210b125159d02637487323610b50c612ea
SHA256c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921
SHA51278bf9894a2824f7c67d67e3ac85a10e63447f8e945680af2da6c8d614c5ae8fbb94fddf24aa3f4c3ff6a99af3a83c297faabdca38dfe7b9d0e4cf0f9153dcd7a
-
Filesize
3.0MB
MD54060530bf60f50e248e3d865761d9468
SHA1407f6b210b125159d02637487323610b50c612ea
SHA256c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921
SHA51278bf9894a2824f7c67d67e3ac85a10e63447f8e945680af2da6c8d614c5ae8fbb94fddf24aa3f4c3ff6a99af3a83c297faabdca38dfe7b9d0e4cf0f9153dcd7a
-
Filesize
3.0MB
MD54060530bf60f50e248e3d865761d9468
SHA1407f6b210b125159d02637487323610b50c612ea
SHA256c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921
SHA51278bf9894a2824f7c67d67e3ac85a10e63447f8e945680af2da6c8d614c5ae8fbb94fddf24aa3f4c3ff6a99af3a83c297faabdca38dfe7b9d0e4cf0f9153dcd7a
-
Filesize
3.0MB
MD54060530bf60f50e248e3d865761d9468
SHA1407f6b210b125159d02637487323610b50c612ea
SHA256c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921
SHA51278bf9894a2824f7c67d67e3ac85a10e63447f8e945680af2da6c8d614c5ae8fbb94fddf24aa3f4c3ff6a99af3a83c297faabdca38dfe7b9d0e4cf0f9153dcd7a
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad