Malware Analysis Report

2025-03-15 06:53

Sample ID 231130-c6ntnaeh97
Target c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921
SHA256 c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921
Tags
test orcus rat spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921

Threat Level: Known bad

The file c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921 was found to be: Known bad.

Malicious Activity Summary

test orcus rat spyware stealer

Orcus

Orcurs Rat Executable

Orcus family

Orcurs Rat Executable

Executes dropped EXE

Checks computer location settings

Drops file in System32 directory

Enumerates physical storage devices

Program crash

Unsigned PE

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-30 02:41

Signatures

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A

Orcus family

orcus

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-30 02:41

Reported

2023-11-30 02:44

Platform

win7-20231020-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsInput.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsInput.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe N/A
File opened for modification C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe N/A
File created C:\Windows\System32\svchosts.exe.config C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c0344fcc3623da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{006CC1F1-8F2A-11EE-9B55-E2B7EBBBA15F} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000efee191c820df7499e31472656722fd500000000020000000000106600000001000020000000db948797f2c83e588f97e425b64da3e31d25ab5753babcfacec237354959a036000000000e8000000002000020000000879deaa0c474f7ed3dfc4af6085535e95a6f21e51ecf231e1a04696a2e1cf717900000001f4859ae3c4f52a59401f8be669b3c08832bb96d380ea1b66215a97daef5d4f13e12217394ddf2bd474e4a9e0b7b17acd21dfacefd4180a493ac543848be669d8bbb2c3bdb1b0648e6cef342bcd33547b1a70a0913424db2433f3f4e374831534927d403f592c6892fe7cf747f9ed11b697df6fb33a9b63c02d0823e546dec3999e2e46224b51e00c4d941bfcde7af7940000000f343a96c2ca69c5aafe5c834e9621ad67d7d25cb83b28a69aaa6f53876f945f50575b0d55a0506a926d0c28a79228b5e8c32b9b28dfd408164fba048f9198464 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000efee191c820df7499e31472656722fd5000000000200000000001066000000010000200000002450a747bf77297b6ffb99404e9b96e0a7433a90e84410d4af9024421c07c7dc000000000e8000000002000020000000c06ec649cd9d189f7c57bdec906b02085408d351e601729539af823d53aa48cf20000000242d1999fb116e888b341b8cd4537e1b36cbda068a92eab36009ca7f918a556f400000005fea66ac7332562b884d0d05d61a4b691d6f6a3a382808eb697cdb5344d1f37a51dc5e98a9bf062c938fd59182a878b12691667b288888cc4adc442485383ce2 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "407473974" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\svchosts.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2248 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2248 wrote to memory of 2192 N/A C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 2248 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe C:\Windows\System32\svchosts.exe
PID 2248 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe C:\Windows\System32\svchosts.exe
PID 2248 wrote to memory of 1308 N/A C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe C:\Windows\System32\svchosts.exe
PID 3004 wrote to memory of 816 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\svchosts.exe
PID 3004 wrote to memory of 816 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\svchosts.exe
PID 3004 wrote to memory of 816 N/A C:\Windows\system32\taskeng.exe C:\Windows\System32\svchosts.exe
PID 1308 wrote to memory of 2528 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1308 wrote to memory of 2528 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1308 wrote to memory of 2528 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1308 wrote to memory of 2528 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 2528 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2528 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2528 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2528 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2756 wrote to memory of 2388 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 2388 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 2388 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 2388 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1308 wrote to memory of 1932 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1308 wrote to memory of 1932 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1308 wrote to memory of 1932 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1308 wrote to memory of 1932 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 2756 wrote to memory of 2764 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 2764 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 2764 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 2764 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1308 wrote to memory of 2012 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1308 wrote to memory of 2012 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1308 wrote to memory of 2012 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1308 wrote to memory of 2012 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 2756 wrote to memory of 2700 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 2700 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 2700 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 2700 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1308 wrote to memory of 2140 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1308 wrote to memory of 2140 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1308 wrote to memory of 2140 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1308 wrote to memory of 2140 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 2756 wrote to memory of 2500 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 2500 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 2500 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 2500 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1308 wrote to memory of 2016 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1308 wrote to memory of 2016 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1308 wrote to memory of 2016 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1308 wrote to memory of 2016 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1308 wrote to memory of 3060 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1308 wrote to memory of 3060 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1308 wrote to memory of 3060 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1308 wrote to memory of 3060 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 2756 wrote to memory of 528 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 528 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 528 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2756 wrote to memory of 528 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1308 wrote to memory of 2552 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1308 wrote to memory of 2552 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1308 wrote to memory of 2552 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1308 wrote to memory of 2552 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1308 wrote to memory of 1656 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1308 wrote to memory of 1656 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1308 wrote to memory of 1656 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe

"C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Windows\System32\svchosts.exe

"C:\Windows\System32\svchosts.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {54833C38-95E1-4DF7-87BD-114F87145E65} S-1-5-21-2084844033-2744876406-2053742436-1000:GGPVHMXR\Admin:Interactive:[1]

C:\Windows\System32\svchosts.exe

C:\Windows\System32\svchosts.exe

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 1308 /protectFile

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=svchostse.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 1308 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:209936 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 1308 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:406550 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 1308 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:472091 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 1308 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 1308 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:406585 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 1308 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 1308 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:1061914 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 1308 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:1586204 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 1308 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 1308 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 1308 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:1258554 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 1308 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:930884 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 1308 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 1308 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 1308 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:996453 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 1308 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 1308 /protectFile

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2756 CREDAT:799860 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 1308 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 1308 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 1308 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 1308 /protectFile

Network

Country Destination Domain Proto
N/A 127.0.0.1:5050 tcp
N/A 127.0.0.1:5050 tcp
N/A 127.0.0.1:5050 tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
N/A 127.0.0.1:5050 tcp
N/A 127.0.0.1:5050 tcp
N/A 127.0.0.1:5050 tcp
N/A 127.0.0.1:5050 tcp

Files

memory/2248-0-0x0000000000E70000-0x000000000116C000-memory.dmp

memory/2248-1-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

memory/2248-2-0x000000001B250000-0x000000001B2D0000-memory.dmp

memory/2248-3-0x0000000000560000-0x00000000005BC000-memory.dmp

memory/2248-4-0x0000000000340000-0x000000000034E000-memory.dmp

memory/2248-5-0x00000000005F0000-0x0000000000602000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 a80be96476032d2eaa901d180fe9fb73
SHA1 f378d0bc5fefb9ea0b5006f020091ffcbcd7acec
SHA256 d6075c1ed6f285f5de01ce0cc6a817b59054da8b19f20bc7081cfe7fb2b1af42
SHA512 210c0c4c845b416a601015fba5ccd2a3e8a4b81d3b4c5e0491b07bd0dcad938d9b118728bb1abc21eb73c5f9263a3c08e1822ece91002a2d1f0983857f0192ea

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

memory/2192-13-0x0000000000DF0000-0x0000000000DFC000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 a80be96476032d2eaa901d180fe9fb73
SHA1 f378d0bc5fefb9ea0b5006f020091ffcbcd7acec
SHA256 d6075c1ed6f285f5de01ce0cc6a817b59054da8b19f20bc7081cfe7fb2b1af42
SHA512 210c0c4c845b416a601015fba5ccd2a3e8a4b81d3b4c5e0491b07bd0dcad938d9b118728bb1abc21eb73c5f9263a3c08e1822ece91002a2d1f0983857f0192ea

memory/2192-14-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

memory/2192-15-0x000000001B180000-0x000000001B200000-memory.dmp

memory/2192-18-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 a80be96476032d2eaa901d180fe9fb73
SHA1 f378d0bc5fefb9ea0b5006f020091ffcbcd7acec
SHA256 d6075c1ed6f285f5de01ce0cc6a817b59054da8b19f20bc7081cfe7fb2b1af42
SHA512 210c0c4c845b416a601015fba5ccd2a3e8a4b81d3b4c5e0491b07bd0dcad938d9b118728bb1abc21eb73c5f9263a3c08e1822ece91002a2d1f0983857f0192ea

memory/672-20-0x00000000001A0000-0x00000000001AC000-memory.dmp

memory/672-21-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

memory/672-22-0x00000000192B0000-0x0000000019330000-memory.dmp

memory/2248-31-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

memory/1308-33-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

C:\Windows\System32\svchosts.exe

MD5 4060530bf60f50e248e3d865761d9468
SHA1 407f6b210b125159d02637487323610b50c612ea
SHA256 c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921
SHA512 78bf9894a2824f7c67d67e3ac85a10e63447f8e945680af2da6c8d614c5ae8fbb94fddf24aa3f4c3ff6a99af3a83c297faabdca38dfe7b9d0e4cf0f9153dcd7a

C:\Windows\System32\svchosts.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

C:\Windows\System32\svchosts.exe

MD5 4060530bf60f50e248e3d865761d9468
SHA1 407f6b210b125159d02637487323610b50c612ea
SHA256 c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921
SHA512 78bf9894a2824f7c67d67e3ac85a10e63447f8e945680af2da6c8d614c5ae8fbb94fddf24aa3f4c3ff6a99af3a83c297faabdca38dfe7b9d0e4cf0f9153dcd7a

memory/1308-34-0x000000001B160000-0x000000001B1E0000-memory.dmp

memory/1308-32-0x0000000000E90000-0x000000000118C000-memory.dmp

memory/1308-35-0x0000000000410000-0x0000000000422000-memory.dmp

memory/1308-36-0x0000000000E00000-0x0000000000E58000-memory.dmp

memory/1308-37-0x0000000000BF0000-0x0000000000C08000-memory.dmp

C:\Windows\System32\svchosts.exe

MD5 4060530bf60f50e248e3d865761d9468
SHA1 407f6b210b125159d02637487323610b50c612ea
SHA256 c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921
SHA512 78bf9894a2824f7c67d67e3ac85a10e63447f8e945680af2da6c8d614c5ae8fbb94fddf24aa3f4c3ff6a99af3a83c297faabdca38dfe7b9d0e4cf0f9153dcd7a

memory/816-39-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

memory/816-40-0x000000001AFB0000-0x000000001B030000-memory.dmp

memory/1308-41-0x0000000000B60000-0x0000000000B70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe.config

MD5 740dde6369b1c855ea2f8e171fa888c8
SHA1 db3f1c7e5e4c087cf9eb02376fd750f1879f28f8
SHA256 e03c480b46464159387618445ca9fd9870b53e092e2278837f2d5a54daf06cae
SHA512 114607dcee4439e5e5c97ca986a65c8114a0e3f3c56f494ef6eaac9cb0f9ebf29b828aabc3100e4be197c94d54a7c26513942c56806bfb3bb0d3594ffef7458c

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe.config

MD5 740dde6369b1c855ea2f8e171fa888c8
SHA1 db3f1c7e5e4c087cf9eb02376fd750f1879f28f8
SHA256 e03c480b46464159387618445ca9fd9870b53e092e2278837f2d5a54daf06cae
SHA512 114607dcee4439e5e5c97ca986a65c8114a0e3f3c56f494ef6eaac9cb0f9ebf29b828aabc3100e4be197c94d54a7c26513942c56806bfb3bb0d3594ffef7458c

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

memory/816-57-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarDDC9.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/672-365-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

memory/1308-366-0x000007FEF5D20000-0x000007FEF670C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c02caea841ed46aedb1349553cb11858
SHA1 a31451edbb733dce28ead67846188622e8a930af
SHA256 dd3917d08c7dafedc1df10a613d323c0f16fa4e99126a366ddfd9a11d5b92e9a
SHA512 da2fb3f66dc462994ee24763d3dce11e50eb0ef2bb2371add3d96bb969347a1e9db96991d0dd8be77b49a0e30d1ede65cedd8bd2dc7aa3b7c6fd61134bfd5d5a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0976401aea5cf9ee76a5af9fa2237137
SHA1 fbb70b7d28e7e0529081123721545fdeaa68ff03
SHA256 df578fe9e29f17a59f28037cd5d38bf7a39632168d535686d9b2b892874cf0a2
SHA512 487c296259d42f0dde551e574315f6ebff72df5e814cf69be5272fdb4e82587d33590f1cf97097214a19659a4a76c96c637341e4d69874c74a945c51b3983d1e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 656f16b836ba73aef97e714421377305
SHA1 764c68220aec1ece2677e32804f98f92fc8dbde2
SHA256 f5ed369c4a3a1a5166f056e8750d9be6142037ddefbd0ddd2110ca20ba64f2f1
SHA512 df0b02df9e4e3b8515fc037f7fb62e778a0fc958e3fcb58fb76baf3cc5b8109e64b4894bec48a89c494c8a56a6bb6c3cf955e000d9d6b85afe663b5ac906d92e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7be5d1d084fa30b47e9d807d610da832
SHA1 675eb7f18f3d9ab8066bfe5967da31f53e76b99b
SHA256 4490018e1451c03e957a88cee465aacf917307be5db9b5f98c68eabdd311830b
SHA512 b656258e4c8ab85dd83e6e743c58112eba97ef13f586fd45d0d2794809eb0a2636c5d5498c0d2b6943ba5b80cc02bbaacff0973667928dc33d8444e0d9533384

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe.config

MD5 740dde6369b1c855ea2f8e171fa888c8
SHA1 db3f1c7e5e4c087cf9eb02376fd750f1879f28f8
SHA256 e03c480b46464159387618445ca9fd9870b53e092e2278837f2d5a54daf06cae
SHA512 114607dcee4439e5e5c97ca986a65c8114a0e3f3c56f494ef6eaac9cb0f9ebf29b828aabc3100e4be197c94d54a7c26513942c56806bfb3bb0d3594ffef7458c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 273b94bd12b9b128065a44ac63d179e0
SHA1 19d25e2ee76a50a79fba85b536c081dd1afc5670
SHA256 dc30bad860a801b3f6bc63093f9b3f36c02f9cf1e9b400c8e63109f6c13773a4
SHA512 69c1ee818c4e431fcb627771f39d6aa224c0602e3084b3cb48bfeb5f61a9ec16d60f2481e7083a3f6393251d79cabff610c68fb613f462e909b97293a7cba87f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9a57ed8d23bd978387a0ad63990b2abc
SHA1 27c1c2ab2b808348fffdb7df8008b2d1bfc664e6
SHA256 2a90582204d307e3637a2940c498df444c00eead02188b61a7124d524afc46bb
SHA512 02df25e777dd7722305c54ed38d7cebfe7ec57e7c90fb36b2c513316c36e021a9302791ea16770dff429aaf7b8efffc14fad1bc310d0ab14313dfc2aeb4edbb7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a0788d0436628467d52dfcafc767ac1f
SHA1 e22d39dc68eae1960a46ca7778c98a9fc5e93e35
SHA256 75e68e0da067e807438e14105af3b6e56113d8c899143a2bbd5e5e71cacb35d1
SHA512 4a2c94f59560b25bbddf4274ff958d64388fe718602d9187cd80c9d299b6c969ff5ecaa210f5598070cb9f54906e0b1e7712fe4b9230eeae32ac74a1e5e1ede3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7c66755117e7e7de809a069c1438327
SHA1 1a59a1b9c1e4962f96cc3d8f77b60d2c17b91663
SHA256 5855dc4e3fb14cc9ab25e2714db703c16acc3410b9f65583341dc0433f9a5ebf
SHA512 292d92e4f57ffea68fda8fc97191f65e9ee85e879d4efb7720803233ddb4300d152c8d57317ad47892b640d474f5e0d5698b665f55fab0002710e399966c9cfc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7c66755117e7e7de809a069c1438327
SHA1 1a59a1b9c1e4962f96cc3d8f77b60d2c17b91663
SHA256 5855dc4e3fb14cc9ab25e2714db703c16acc3410b9f65583341dc0433f9a5ebf
SHA512 292d92e4f57ffea68fda8fc97191f65e9ee85e879d4efb7720803233ddb4300d152c8d57317ad47892b640d474f5e0d5698b665f55fab0002710e399966c9cfc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73d0bfbfbf91f27d2546ea93503fe965
SHA1 4a911cbdc6141eb191dc4659baf1520e069144e8
SHA256 5ed46e27831c80f11fced5dee32ddfc506fb796fe6d6bc3eef371212a8b6b6de
SHA512 b8b8ef2fb5037b4838244dbc7c8ced342ae3f66a788ec53276afb6ba9d6fc91def3f2a1cbcf89f771d92e70be8df2036162a142cd2cf0aa4d6536199636ecf3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 73d0bfbfbf91f27d2546ea93503fe965
SHA1 4a911cbdc6141eb191dc4659baf1520e069144e8
SHA256 5ed46e27831c80f11fced5dee32ddfc506fb796fe6d6bc3eef371212a8b6b6de
SHA512 b8b8ef2fb5037b4838244dbc7c8ced342ae3f66a788ec53276afb6ba9d6fc91def3f2a1cbcf89f771d92e70be8df2036162a142cd2cf0aa4d6536199636ecf3d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7836196cb207670f3cea349c1a82cef3
SHA1 36f257714d06f906a7880011d606bb53d927f503
SHA256 37c392c2844bb8b6d450618b70651ee5ab8caf17e8026fe19bd264c93a85cece
SHA512 b741442bed0866a19b7471ae7c46dbf45357ea9ac16aaca82a404ceb0400db1e9686d358ea23bf7f09c31b48b74e0a48969975366411b423b126c1d8043d54e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a63e40ff4b0f1ac86bc42b41375973c
SHA1 61fe44db0402dd01ac3f12ddbd4b776d531b7b50
SHA256 7b99305f7818434c6fb52e95b4e4dbe787ce2c46bddd86a29d14c494010a1bcd
SHA512 6ef26a190d9bb6ac5fa93e4ecf97f89d80b4417f6af42fd3e9b43923cfde96b66971978cb2c441f38f236b6a4a535d47c40b8f7dde78fa75381caef336e0ade0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bcb9ef13ef675b3003c8520b48ff5d08
SHA1 590359cbc99368273b37e4fe21186d3b13379968
SHA256 fb8a29689f6357bc18962de703a7f1c544a73385e94e112e2f6f39ab73f8f9cf
SHA512 304846ee65b2e7064f6b06e49b26ee0e7bb93608c84cef8851c93140b0e5c30651eb818a1249ba3176d2a8f82763353b58a9fd3ddbff80403348ce3c3a4e6a2e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d52a0ddbb91d061a5a0623d946faa6b8
SHA1 be0b0fd3b345df2c20b68827c85a2136989c63ec
SHA256 701300766c859245a4350d9d580112faee6f71e98afd81fe32e3c639ff49d4c7
SHA512 d03f20aa55782afb8311e5c30f6b90a43dfab8dbd81305d769617d2d91741c544d84be91ff9473997fac9dcdaeec78b3b4cadaa7489d0f1b2f38a066699ccb4d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0dd75ec5798ab2eb0cf29c77d6b9908a
SHA1 12713e64fec1b29bcbffdb321986a5247f85b915
SHA256 9f20cc21bca838118b424311aaa271eb59d135fbea56975108a4af2990683329
SHA512 aa9c35044cfaec87eea250f2c9b2797d3d3cefa5285b3130a055913d16bbabb3ba6aa8a3e2c4cd12135ca1d44af964020d7eab5cb0bc9a7ca3c3dadba9e22e00

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0b3d753904e824d4ead801daffd32493
SHA1 4dd11e2104cea935611a48b0691325858a46f517
SHA256 e681d20490a7bc29c6bb494e508478014a622ade4d91f8d5036a8eff7566664e
SHA512 83593d4b62e1e01673bee06287e91590f85fd407f211fa181110d2c3b4e4542ede84bc32473b10f8aa2d07a18a1b7670608603cd5fc34bcf80781f58f31b0fc8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d6083adf64797a86fc16ae92e928c676
SHA1 5edd56019cc034f66bd116f56e6f14cd9ccdb183
SHA256 fd5ccd7966d11882c76d79ccd277cd01930d810a819383609a9e1649f89e43ed
SHA512 354031c14094470d30c8c3884367418bff7fd7a5688f3e394884f05d53c75dae5824f7ce321d8f1a22465973f7ad135ca79242f70b20c962188cf1ca7997c109

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe.config

MD5 740dde6369b1c855ea2f8e171fa888c8
SHA1 db3f1c7e5e4c087cf9eb02376fd750f1879f28f8
SHA256 e03c480b46464159387618445ca9fd9870b53e092e2278837f2d5a54daf06cae
SHA512 114607dcee4439e5e5c97ca986a65c8114a0e3f3c56f494ef6eaac9cb0f9ebf29b828aabc3100e4be197c94d54a7c26513942c56806bfb3bb0d3594ffef7458c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 973ffa57aaefc1dc35d67d52f0cdbb58
SHA1 05c940529513b684a477b92dc44ccc2046239a2c
SHA256 136fd9a20b2d2ecd9363e1dd590123265ac2238d92c471e54475994295bd1d2b
SHA512 c615737b1e390bb29cc77b0003bfb65079ce53a9e4b6228f3dde1af9ea812ba5ae41ebe2402d8444fadfb3cd53c0f7cb3a48419edd0c2d566ceff95e95821ae6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7437de1c427ca71aa6a5a3d8da191028
SHA1 6dfbfa97ea5d04c1bc067a79b91c3f2017f246a0
SHA256 dff9d312fd37667fd0b09f84912e54daa7b6eb8ba447ba8b74c9e3b3c2a87e87
SHA512 d6c8ba22d81af3af05b99c932a55fffcdb67b3fafd658337ea00451a3eaa3ca9045579e30bfa43448c5bf04ad4d05ff2034f462c9314dd986646474a59bc7b89

C:\Users\Admin\AppData\Local\Temp\svchostse.exe.config

MD5 740dde6369b1c855ea2f8e171fa888c8
SHA1 db3f1c7e5e4c087cf9eb02376fd750f1879f28f8
SHA256 e03c480b46464159387618445ca9fd9870b53e092e2278837f2d5a54daf06cae
SHA512 114607dcee4439e5e5c97ca986a65c8114a0e3f3c56f494ef6eaac9cb0f9ebf29b828aabc3100e4be197c94d54a7c26513942c56806bfb3bb0d3594ffef7458c

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe.config

MD5 740dde6369b1c855ea2f8e171fa888c8
SHA1 db3f1c7e5e4c087cf9eb02376fd750f1879f28f8
SHA256 e03c480b46464159387618445ca9fd9870b53e092e2278837f2d5a54daf06cae
SHA512 114607dcee4439e5e5c97ca986a65c8114a0e3f3c56f494ef6eaac9cb0f9ebf29b828aabc3100e4be197c94d54a7c26513942c56806bfb3bb0d3594ffef7458c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 012c6f67217ab46b5b137b1768f40459
SHA1 f7c80a40f450b264d6ab6d0a5ddb4f02764fabcc
SHA256 8508bac99cda273701bae6aea6054af1a9c05fb0d1c6fc88fc213113b44117aa
SHA512 6a9484f28edcb5a72478b9a3bb401ba33fb1c303161994feb18e530cb9936780c8b44bcf6523b6df6e5aca4781b2913ee9eef8a3823ea3c9f7d1501347bef53f

C:\Users\Admin\AppData\Local\Temp\svchostse.exe.config

MD5 740dde6369b1c855ea2f8e171fa888c8
SHA1 db3f1c7e5e4c087cf9eb02376fd750f1879f28f8
SHA256 e03c480b46464159387618445ca9fd9870b53e092e2278837f2d5a54daf06cae
SHA512 114607dcee4439e5e5c97ca986a65c8114a0e3f3c56f494ef6eaac9cb0f9ebf29b828aabc3100e4be197c94d54a7c26513942c56806bfb3bb0d3594ffef7458c

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q3NPL6GJ\invalidcert[1]

MD5 a5d6ba8403d720f2085365c16cebebef
SHA1 487dcb1af9d7be778032159f5c0bc0d25a1bf683
SHA256 59e53005e12d5c200ad84aeb73b4745875973877bd7a2f5f80512fe507de02b7
SHA512 6341b8af2f9695bb64bbf86e3b7bfb158471aef0c1b45e8b78f6e4b28d5cb03e7b25f4f0823b503d7e9f386d33a7435e5133117778291a3c543cafa677cdc82d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OE1L9TUT\ErrorPageTemplate[1]

MD5 f4fe1cb77e758e1ba56b8a8ec20417c5
SHA1 f4eda06901edb98633a686b11d02f4925f827bf0
SHA256 8d018639281b33da8eb3ce0b21d11e1d414e59024c3689f92be8904eb5779b5f
SHA512 62514ab345b6648c5442200a8e9530dfb88a0355e262069e0a694289c39a4a1c06c6143e5961074bfac219949102a416c09733f24e8468984b96843dc222b436

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HYJJYCDH\errorPageStrings[1]

MD5 e3e4a98353f119b80b323302f26b78fa
SHA1 20ee35a370cdd3a8a7d04b506410300fd0a6a864
SHA256 9466d620dc57835a2475f8f71e304f54aee7160e134ba160baae0f19e5e71e66
SHA512 d8e4d73c76804a5abebd5dbc3a86dcdb6e73107b873175a8de67332c113fb7c4899890bf7972e467866fa4cd100a7e2a10a770e5a9c41cbf23b54351b771dcee

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H57AUUE9\httpErrorPagesScripts[1]

MD5 3f57b781cb3ef114dd0b665151571b7b
SHA1 ce6a63f996df3a1cccb81720e21204b825e0238c
SHA256 46e019fa34465f4ed096a9665d1827b54553931ad82e98be01edb1ddbc94d3ad
SHA512 8cbf4ef582332ae7ea605f910ad6f8a4bc28513482409fa84f08943a72cac2cf0fa32b6af4c20c697e1fac2c5ba16b5a64a23af0c11eefbf69625b8f9f90c8fa

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HYJJYCDH\invalidcert[1]

MD5 8ce0833cca8957bda3ad7e4fe051e1dc
SHA1 e5b9df3b327f52a9ed2d3821851e9fdd05a4b558
SHA256 f18e9671426708c65f999ca0fd11492e699cb13edc84a7d863fa9f83eb2178c3
SHA512 283b4c6b1035b070b98e7676054c8d52608a1c9682dfe138c569adfecf84b6c5b04fe1630eb13041ad43a231f83bf38680198acd8d5a76a47ec77829282a99fa

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H57AUUE9\red_shield_48[1]

MD5 7c588d6bb88d85c7040c6ffef8d753ec
SHA1 7fdd217323d2dcc4a25b024eafd09ae34da3bfef
SHA256 5e2cd0990d6d3b0b2345c75b890493b12763227a8104de59c5142369a826e3e0
SHA512 0a3add1ff681d5190075c59caffde98245592b9a0f85828ab751e59fdf24403a4ef87214366d158e6b8a4c59c5bdaf563535ff5f097f86923620ea19a9b0dc4d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Q3NPL6GJ\green_shield[1]

MD5 c6452b941907e0f0865ca7cf9e59b97d
SHA1 f9a2c03d1be04b53f2301d3d984d73bf27985081
SHA256 1ba122f4b39a33339fa9935bf656bb0b4b45cdded78afb16aafd73717d647439
SHA512 beb58c06c2c1016a7c7c8289d967eb7ffe5840417d9205a37c6d97bd51b153f4a053e661ad4145f23f56ce0aebda101932b8ed64b1cd4178d127c9e2a20a1f58

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\OE1L9TUT\red_shield[1]

MD5 006def2acbd0d2487dffc287b27654d6
SHA1 c95647a113afc5241bdb313f911bf338b9aeffdc
SHA256 4bd9f96d6971c7d37d03d7dea4af922420bb7c6dd46446f05b8e917c33cf9e4e
SHA512 9dabf92ce2846d8d86e20550c749efbc4a1af23c2319e6ce65a00dc8cbc75ac95a2021020cab1536c3617043a8739b0495302d0ba562f48f4d3c25104b059a04

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HYJJYCDH\down[1]

MD5 c4f558c4c8b56858f15c09037cd6625a
SHA1 ee497cc061d6a7a59bb66defea65f9a8145ba240
SHA256 39e7de847c9f731eaa72338ad9053217b957859de27b50b6474ec42971530781
SHA512 d60353d3fbea2992d96795ba30b20727b022b9164b2094b922921d33ca7ce1634713693ac191f8f5708954544f7648f4840bcd5b62cb6a032ef292a8b0e52a44

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H57AUUE9\background_gradient_red[1]

MD5 337038e78cf3c521402fc7352bdd5ea6
SHA1 017eaf48983c31ae36b5de5de4db36bf953b3136
SHA256 fbc23311fb5eb53c73a7ca6bfc93e8fa3530b07100a128b4905f8fb7cb145b61
SHA512 0928d382338f467d0374cce3ff3c392833fe13ac595943e7c5f2aee4ddb3af3447531916dd5ddc716dd17aef14493754ed4c2a1ab7fe6e13386301e36ee98a7d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e92b92411b95aabb1e0b3f2e598d12dc
SHA1 2a9c62524a2783726f7008474b5713305fce6aeb
SHA256 7d9178d19e4b60de3072daa170f16a575814882369eef799fc9dc4e96ce0ae6f
SHA512 8aca6a785f23ef441aa3a9033696023e6cbd11f9118f555355e1a5eb9c8b80fd12de952015eaa7dd02da64369f0b844f0e48f2e49bcc01a4a126912df77da31e

C:\Users\Admin\AppData\Local\Temp\svchostse.exe.config

MD5 740dde6369b1c855ea2f8e171fa888c8
SHA1 db3f1c7e5e4c087cf9eb02376fd750f1879f28f8
SHA256 e03c480b46464159387618445ca9fd9870b53e092e2278837f2d5a54daf06cae
SHA512 114607dcee4439e5e5c97ca986a65c8114a0e3f3c56f494ef6eaac9cb0f9ebf29b828aabc3100e4be197c94d54a7c26513942c56806bfb3bb0d3594ffef7458c

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 691e1e7abfadd481522de042cd5cb070
SHA1 e166f21f84d897357ef0b9a91a6e589be390ae3b
SHA256 529804d93d48bd1d37ba3ce1b309fa1f955e773942aec584093612f658d866c2
SHA512 16f9d4b4a99232a163df86604ae0bb76892bc3013257682ca8ef082d9db6f8ce1f0bc8c68ef53818d77b044bd2f9419479898f0fd0a7a11f245c45cfa5336e9c

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe.config

MD5 740dde6369b1c855ea2f8e171fa888c8
SHA1 db3f1c7e5e4c087cf9eb02376fd750f1879f28f8
SHA256 e03c480b46464159387618445ca9fd9870b53e092e2278837f2d5a54daf06cae
SHA512 114607dcee4439e5e5c97ca986a65c8114a0e3f3c56f494ef6eaac9cb0f9ebf29b828aabc3100e4be197c94d54a7c26513942c56806bfb3bb0d3594ffef7458c

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe.config

MD5 740dde6369b1c855ea2f8e171fa888c8
SHA1 db3f1c7e5e4c087cf9eb02376fd750f1879f28f8
SHA256 e03c480b46464159387618445ca9fd9870b53e092e2278837f2d5a54daf06cae
SHA512 114607dcee4439e5e5c97ca986a65c8114a0e3f3c56f494ef6eaac9cb0f9ebf29b828aabc3100e4be197c94d54a7c26513942c56806bfb3bb0d3594ffef7458c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 570a20790583c22de1a8bea27fc8221b
SHA1 2d4e27c32aca11fab517d3af98d0e7a862c559d8
SHA256 f3b0712e5c3001c3b52e9a92998996873ab1a2e9442f09090433c59e4ff6d192
SHA512 e2a93514b447cb9cf86981ad04195b2a0126da8ab74a3a52c9248572f4b4d74ca26c5198de3263b35e33a73c1f6752a5993779a0b1d431d74a9c297bdd65464d

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 60746985a8bd481b0a78e26c4478c48d
SHA1 d80d8020cf2327bd133859e13a2f2b6fe4a6b38a
SHA256 401405621aae905f82bb02ead41c5b4b1f681750001c4731cafa6552be298066
SHA512 389aefe6e866c7a2dab98dfa8f6c99c663c0db5a95476199fd399b958575f0522f7760e3ef77091752a7d20f8e1342045c695103171c8d96bf91a2785d8a8ca4

C:\Users\Admin\AppData\Local\Temp\svchostse.exe.config

MD5 740dde6369b1c855ea2f8e171fa888c8
SHA1 db3f1c7e5e4c087cf9eb02376fd750f1879f28f8
SHA256 e03c480b46464159387618445ca9fd9870b53e092e2278837f2d5a54daf06cae
SHA512 114607dcee4439e5e5c97ca986a65c8114a0e3f3c56f494ef6eaac9cb0f9ebf29b828aabc3100e4be197c94d54a7c26513942c56806bfb3bb0d3594ffef7458c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 80c1b7622e3925b7eb2d67380200d381
SHA1 d94cf564251da5824dcb4c08ed0efda327bfd5e4
SHA256 480ad2dde996aaf8de1e6def23fae33d6a9f19da6856dab40579408b34878182
SHA512 cd88f7c2bc0e7cc58a68998c48124c9520f37d9276870f9d028392464d6e7ba7325d0bae8010243ea69732ed6de5e4086e3eae53ac853361c9445fb81cce2995

C:\Users\Admin\AppData\Local\Temp\svchostse.exe.config

MD5 740dde6369b1c855ea2f8e171fa888c8
SHA1 db3f1c7e5e4c087cf9eb02376fd750f1879f28f8
SHA256 e03c480b46464159387618445ca9fd9870b53e092e2278837f2d5a54daf06cae
SHA512 114607dcee4439e5e5c97ca986a65c8114a0e3f3c56f494ef6eaac9cb0f9ebf29b828aabc3100e4be197c94d54a7c26513942c56806bfb3bb0d3594ffef7458c

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4679ab7e19ab007f591228f976af476b
SHA1 91237f06b77c21b184f35f9b58d22f1ce88efbfc
SHA256 1cbed54118dc01678c50ecb462632b2a877c2bdb075fc768dbd6e9492f6db967
SHA512 7c671010eec8968be40c0c298806cc725e18f7311ea211ab97de28e4fab362792ceed8f9f102d78266e57b4edc04973d354fee206c140a8d625c29f21a9d795a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 66cc3b9d9898e8ab19b87cacb7791003
SHA1 38792acff3e47f1479048c0deb58dffdfa95291f
SHA256 2ed4c2a9830b7c9ec64cd88a28b6da0b31984410f1bddfc52de93ab051c0ff82
SHA512 b593e4f74052ca7790227b05b833e87f1d94164c30271054b174b49f12f0fcbe70741357307be8dc3732474eec82e1a0e73a4d30aa5be26599cc57184e21ba49

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e67c77c5239f4319303ffb17fd548895
SHA1 3cd1aa54635d0b5fd44077d8297956a3d8d3cf66
SHA256 bb9710abbe649778ca81bdb64f00083ee220093429c382e811846a7f44d5fdf8
SHA512 f12708576c753d6f948774edce2f2e5b4729419770c1f94251e1aebaf4dfdf1593398dfec7800d5e9f90e5aed7b3dd2df41cbc73cfda0d6e539650655f2e41bf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 392c5c0c05621e8b1cd0f9b4bf099356
SHA1 195528249fbd29ef129e7c28e603ae1e104dafd1
SHA256 44e189acb8c25eed9931a2e13492b4b4f7c4c43ba960f753ea635d2a00317c44
SHA512 e43a9c853ba99f201ba9feeebe72e228cd25c1ca8912ad78e8fbdf550abcda9aadc54588f4dba0f87ce89cafd29dd72b7382a74700ecc908be71850fda91757e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8268a44476baaf79d9180669ca8743c5
SHA1 580f2baec27741c431bc5e1aa6ea708849281421
SHA256 d7a6dada9c07dbe85502505d5cad02e273bbab5c0ee2cf33ebdd59b6d6242a9c
SHA512 59a2a94d764720b6e8debf1b5b0ca2ae32e1f532fba987e1195669575cd6f7343779c4293f0f9b4378eb1dce74d5c6a7d74d69280490d0163e67a9d5bee65a99

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cdd88ea4cb6b60363db3b3207e042e6d
SHA1 fe79abcb57f04d30075df61675e810c0a57c9ecc
SHA256 22ba1101e2a2898c32fde015d95b351a96fceb04eb20aa6d79fa2798e8ff32c5
SHA512 43f05208adf8ff36bc18e0803b3238227b661ef10d977eaaeb76e5c367a8c284c26c37f05de370d378f0a204e27f5ecf841e7dacb230d9f42fc4859564b44157

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0cbb4b842138fef6f38614832b4a5719
SHA1 e118442b8546253d857cc9b0dad2e7ff988b8e83
SHA256 f782f4c40da865955145039f420257680de866ce779ec7d764d3710a36e6de02
SHA512 5cf1e2218082cd35142ff8c5ddac8ed0ff0ae074e606e944fa41cf7d599d2f68b3004581fe21ea30b059e6aa21afe1e069b5e560dc312c1e531172d9afc6a7de

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c30c96871d438abf50be70c33533896c
SHA1 ae10a5f4afa58172562031252282daaf77febfd4
SHA256 5ef6e409b91a617e0390255e4ae935aa2bd6578ab03c377a9211cf96d3a3e221
SHA512 e65c1c26011061750fad840dfa5d8f44f4a43146f7d812514d3fe9ea459a2d9e2efcdb6cc6e39a80c49badebfd95ed914b991655cf7d8741f49409bd1457d63a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cec8ad5110d20c1674b04ff9bbd4c999
SHA1 dca1a9c006c0a9a30a5e6797a26556f48826b39c
SHA256 21f2d09fad2c6f6c8f36c25cbf40a581d8f882bf520db63d5b781147b7a09fe6
SHA512 6aef812b780c98213951d502cc7594d8f3075dc303cfec646155af45e6fec0c41a3f975cf726e522e6f47749e75702e2915cbcfd7dbfa676ea8e1a19e51b1794

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d12331ff32ae5401a26f06139a467bc
SHA1 0949c47c79ec427bb8e6be1d6b89bd3f0f364e5e
SHA256 af3b73c64ffe692c2b750afff9dd583bb3862adbead4a4fef1807eded6edff8a
SHA512 c6576fd8622d6a5f6ed2d520cc0c0a97cdec39a6555328eaf822bd2427c6804d748f477130b0d7d5e20fbd45c120ba7b2bfff65040b836e0a460c2dfd3af2ecf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6f4dc085433e0fdab01a166fa475a577
SHA1 77765f76c5dff1ae88cefd45c73416af65dbcc9b
SHA256 41f710b25be883ca41928c8be45bad9242f44c6546848af4e7e1c7c29820a1b2
SHA512 83b8fac9f3e1525fa522f52b82eb2ba1b8acd259495c2f4c1da79a75e0bfbabad4af1bc09f1b867b069b0e5b696818a4e75ac194a8a5590b3748822cbf45d029

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 79f88e1edca94ce6a942642a44ddf99b
SHA1 27bc03e9b0ced4cb1d158356a0d3010201c57da8
SHA256 67a2c78e4b24c3e746c61b803116d12d0492ad112d59fe25a46bb3585e533a8b
SHA512 fcf1896217cd539682275ca635ddd56b3286a8a659110379670339bb1c00ca231c690ed2bd228a03b72801ae7ec54b48602e6c5cc49ab48d947b1da7205c8433

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c109fc946317d9312afc362cb1490dca
SHA1 cc6f9a53849b39f5b4a5747e703140c3f6e7ea89
SHA256 a7552f053e41c761dc6ea7da335adfd37ed8f6a855119e68cbef927901d4a13f
SHA512 415e422f5b0f7f65ea0389495a01e9cc57913692e87773d06a24c3656f05cb5b3ea8c89bd3829dffb65260bb1f6ad7c0d7fdece689a4b1bb6a78cb46422a5675

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d12ac31fdb4c990019fbbebccbcf0c19
SHA1 643ab919ff20b59fa0bbd89bdf93d2c9272c035a
SHA256 a145c8ff3a618a1d2da1ebcbc76dbc281c7ea6b755068d91fdb925a194d0863d
SHA512 b8741f90b9438c34b8ceff5c1847fbff47852c8a35fc4e4e61a8a6d86c29dbbd82a29bad9ea95ee7d7f251180f8097eeb3051bc3958438154ae1e29be69a8e58

C:\Users\Admin\AppData\Local\Temp\svchostse.exe.config

MD5 740dde6369b1c855ea2f8e171fa888c8
SHA1 db3f1c7e5e4c087cf9eb02376fd750f1879f28f8
SHA256 e03c480b46464159387618445ca9fd9870b53e092e2278837f2d5a54daf06cae
SHA512 114607dcee4439e5e5c97ca986a65c8114a0e3f3c56f494ef6eaac9cb0f9ebf29b828aabc3100e4be197c94d54a7c26513942c56806bfb3bb0d3594ffef7458c

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\~DFB5C824419D3917FA.TMP

MD5 16b845e6364436c76e0f106f9e97ed80
SHA1 3929a2e5a4c3deaeaf64137e12d78ed8ad571bc5
SHA256 e64a6c905130a873bd6fdc1431ffaf9f3dfd1fa06e9cbaee34dcf9a48192ef65
SHA512 0b5b73cf5ef75b0eba8d658ae48c2974042052d28a390ae1467474d20fb81a70bfe941d888051b1f2b848853ffc60df832d50b5f2604b8eb7afee7c43d3026e2

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\28c8b86deab549a1.customDestinations-ms

MD5 ac01b40fad8fca4b6a5045bd29b53705
SHA1 36abff826107c5c32cf48fdd5c102df77f650f60
SHA256 652ec99926dfb85d093a6e469e3ddd9fa2acab5e5ca5018237853931b9484dc2
SHA512 401ffd8f2b1d379723a96a30ad33c9e7ea9a401329f0300301c0b27f06f222d9c1800b104fb33cde18dbb70028339015d93ec48a48d89f5e9d211d36c726a439

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-30 02:41

Reported

2023-11-30 02:44

Platform

win10v2004-20231127-en

Max time kernel

147s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe"

Signatures

Orcus

rat spyware stealer orcus

Orcurs Rat Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsInput.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsInput.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\WindowsInput.exe C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.exe.config C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe N/A
File created C:\Windows\SysWOW64\WindowsInput.InstallState C:\Windows\SysWOW64\WindowsInput.exe N/A
File created C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe N/A
File opened for modification C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe N/A
File created C:\Windows\System32\svchosts.exe.config C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A
N/A N/A C:\Windows\System32\svchosts.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\System32\svchosts.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\svchosts.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\System32\svchosts.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1080 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1080 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe C:\Windows\SysWOW64\WindowsInput.exe
PID 1080 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe C:\Windows\System32\svchosts.exe
PID 1080 wrote to memory of 4752 N/A C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe C:\Windows\System32\svchosts.exe
PID 4752 wrote to memory of 2212 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 2212 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 2212 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 2212 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 2212 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 2212 wrote to memory of 3136 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 2824 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 2824 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 2824 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 2824 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 2824 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 2824 wrote to memory of 4024 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 1812 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 1812 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 1812 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1812 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1812 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1812 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 3052 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 3052 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 3052 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 3052 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 3052 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 3052 wrote to memory of 4680 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 3900 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 3900 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 3900 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 3900 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 3900 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 3900 wrote to memory of 1116 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 772 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 772 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 772 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 772 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 772 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 772 wrote to memory of 2868 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 1916 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 1916 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 1916 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1916 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1916 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 1916 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 4696 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 4696 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 4696 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4696 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4696 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4696 wrote to memory of 3944 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 5020 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 5020 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 5020 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 5020 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 5020 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 5020 wrote to memory of 4300 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 4868 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 4868 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4752 wrote to memory of 4868 N/A C:\Windows\System32\svchosts.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4868 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4868 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe
PID 4868 wrote to memory of 972 N/A C:\Users\Admin\AppData\Local\Temp\svchostse.exe C:\Users\Admin\AppData\Local\Temp\svchostse.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe

"C:\Users\Admin\AppData\Local\Temp\c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921.exe"

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe" --install

C:\Windows\SysWOW64\WindowsInput.exe

"C:\Windows\SysWOW64\WindowsInput.exe"

C:\Windows\System32\svchosts.exe

"C:\Windows\System32\svchosts.exe"

C:\Windows\System32\svchosts.exe

C:\Windows\System32\svchosts.exe

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3136 -ip 3136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3136 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4024 -ip 4024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3980 -ip 3980

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3980 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4680 -ip 4680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2868 -ip 2868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 436 -ip 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3944 -ip 3944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4300 -ip 4300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4300 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 972 -ip 972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 972 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1272 -ip 1272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1272 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1224 -ip 1224

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2580 -ip 2580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2580 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 496 -ip 496

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 496 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4416 -ip 4416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4416 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 968 -ip 968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 968 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 688 -ip 688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 688 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4600 -ip 4600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2016 -ip 2016

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2740 -ip 2740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 492 -ip 492

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 492 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4776 -ip 4776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3952 -ip 3952

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3952 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2808 -ip 2808

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2508 -ip 2508

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1264 -ip 1264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1264 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4544 -ip 4544

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4544 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 3264 -ip 3264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 844

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2748 -ip 2748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2748 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2856 -ip 2856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2856 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4028 -ip 4028

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4028 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1904 -ip 1904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 1624 -ip 1624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1624 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1332 -ip 1332

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1332 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 4744 -ip 4744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3264 -ip 3264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 844

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1652 -ip 1652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 2576 -ip 2576

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2576 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1868 -ip 1868

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1868 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4972 -ip 4972

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4972 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1268 -ip 1268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1700 -ip 1700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4592 -ip 4592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4592 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 216 -ip 216

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 216 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1452 -ip 1452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 760 -ip 760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 760 -s 404

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4692 -ip 4692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4692 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 352 -ip 352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 352 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2876 -ip 2876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1816 -ip 1816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1832 -ip 1832

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1832 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3944 -ip 3944

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3944 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4368 -ip 4368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4368 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4200 -ip 4200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 1524 -ip 1524

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1524 -s 844

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 352 -ip 352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 352 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2480 -ip 2480

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1816 -ip 1816

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1816 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1924 -ip 1924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 1452 -ip 1452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1452 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1488 -ip 1488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1488 -s 844

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 452 -ip 452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 452 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1612 -ip 1612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1612 -s 848

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1940 -ip 1940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1940 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 5044 -ip 5044

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5044 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 3540 -ip 3540

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1924 -ip 1924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 844

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 3840 -ip 3840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4304 -ip 4304

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4304 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5080 -ip 5080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 2452 -ip 2452

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4360 -ip 4360

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4360 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3604 -ip 3604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1144 -ip 1144

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1144 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1580 -ip 1580

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1580 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5000 -ip 5000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 5112 -ip 5112

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5112 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 3900 -ip 3900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3900 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 1668 -ip 1668

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1668 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1416 -ip 1416

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1416 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 732 -ip 732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 732 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 3012 -ip 3012

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3012 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 1960 -ip 1960

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 548 -ip 548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 548 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4680 -ip 4680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4600 -ip 4600

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4744 -ip 4744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 924 -ip 924

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2264 -ip 2264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4456 -ip 4456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3604 -ip 3604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3604 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4008 -ip 4008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4008 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3084 -ip 3084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3084 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4680 -ip 4680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4680 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 2000 -ip 2000

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 3852 -ip 3852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3852 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4604 -ip 4604

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 848

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4836 -ip 4836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3784 -ip 3784

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3784 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 2512 -ip 2512

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2512 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4828 -ip 4828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4828 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 3956 -ip 3956

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3956 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 1116 -ip 1116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1116 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4024 -ip 4024

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4024 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 3732 -ip 3732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3732 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 4940 -ip 4940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4940 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 748 -ip 748

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 748 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 3840 -ip 3840

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3840 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2812 -ip 2812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2812 -s 864

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1532 -ip 1532

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1532 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4892 -ip 4892

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4892 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 436 -ip 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3744 -ip 3744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /watchProcess "C:\Windows\System32\svchosts.exe" 4752 "/protectFile"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 1344 -ip 1344

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 840

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

"C:\Users\Admin\AppData\Local\Temp\svchostse.exe" /launchSelfAndExit "C:\Windows\System32\svchosts.exe" 4752 /protectFile

Network

Country Destination Domain Proto
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 127.0.0.1:5050 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 138.175.53.84.in-addr.arpa udp
N/A 127.0.0.1:5050 tcp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
N/A 127.0.0.1:5050 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 107.175.53.84.in-addr.arpa udp
N/A 127.0.0.1:5050 tcp
N/A 127.0.0.1:5050 tcp
N/A 127.0.0.1:5050 tcp

Files

memory/1080-0-0x00000192BC5D0000-0x00000192BC8CC000-memory.dmp

memory/1080-1-0x00000192D6EA0000-0x00000192D6EFC000-memory.dmp

memory/1080-2-0x00000192BCC70000-0x00000192BCC7E000-memory.dmp

memory/1080-4-0x00000192D6D20000-0x00000192D6D30000-memory.dmp

memory/1080-3-0x00007FFE47170000-0x00007FFE47C31000-memory.dmp

memory/1080-5-0x00000192BCCC0000-0x00000192BCCD2000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 a80be96476032d2eaa901d180fe9fb73
SHA1 f378d0bc5fefb9ea0b5006f020091ffcbcd7acec
SHA256 d6075c1ed6f285f5de01ce0cc6a817b59054da8b19f20bc7081cfe7fb2b1af42
SHA512 210c0c4c845b416a601015fba5ccd2a3e8a4b81d3b4c5e0491b07bd0dcad938d9b118728bb1abc21eb73c5f9263a3c08e1822ece91002a2d1f0983857f0192ea

C:\Windows\SysWOW64\WindowsInput.exe

MD5 a80be96476032d2eaa901d180fe9fb73
SHA1 f378d0bc5fefb9ea0b5006f020091ffcbcd7acec
SHA256 d6075c1ed6f285f5de01ce0cc6a817b59054da8b19f20bc7081cfe7fb2b1af42
SHA512 210c0c4c845b416a601015fba5ccd2a3e8a4b81d3b4c5e0491b07bd0dcad938d9b118728bb1abc21eb73c5f9263a3c08e1822ece91002a2d1f0983857f0192ea

C:\Windows\SysWOW64\WindowsInput.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

C:\Windows\SysWOW64\WindowsInput.exe

MD5 a80be96476032d2eaa901d180fe9fb73
SHA1 f378d0bc5fefb9ea0b5006f020091ffcbcd7acec
SHA256 d6075c1ed6f285f5de01ce0cc6a817b59054da8b19f20bc7081cfe7fb2b1af42
SHA512 210c0c4c845b416a601015fba5ccd2a3e8a4b81d3b4c5e0491b07bd0dcad938d9b118728bb1abc21eb73c5f9263a3c08e1822ece91002a2d1f0983857f0192ea

memory/2040-19-0x0000022492BA0000-0x0000022492BAC000-memory.dmp

memory/2040-20-0x00007FFE47170000-0x00007FFE47C31000-memory.dmp

memory/2040-21-0x0000022494760000-0x0000022494770000-memory.dmp

memory/2040-22-0x0000022494730000-0x0000022494742000-memory.dmp

memory/2040-23-0x00000224947C0000-0x00000224947FC000-memory.dmp

memory/2040-27-0x00007FFE47170000-0x00007FFE47C31000-memory.dmp

C:\Windows\SysWOW64\WindowsInput.exe

MD5 a80be96476032d2eaa901d180fe9fb73
SHA1 f378d0bc5fefb9ea0b5006f020091ffcbcd7acec
SHA256 d6075c1ed6f285f5de01ce0cc6a817b59054da8b19f20bc7081cfe7fb2b1af42
SHA512 210c0c4c845b416a601015fba5ccd2a3e8a4b81d3b4c5e0491b07bd0dcad938d9b118728bb1abc21eb73c5f9263a3c08e1822ece91002a2d1f0983857f0192ea

memory/3248-29-0x00007FFE47170000-0x00007FFE47C31000-memory.dmp

memory/3248-30-0x0000021FBFB80000-0x0000021FBFB90000-memory.dmp

memory/3248-31-0x0000021FBFFF0000-0x0000021FC00FA000-memory.dmp

C:\Windows\System32\svchosts.exe

MD5 4060530bf60f50e248e3d865761d9468
SHA1 407f6b210b125159d02637487323610b50c612ea
SHA256 c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921
SHA512 78bf9894a2824f7c67d67e3ac85a10e63447f8e945680af2da6c8d614c5ae8fbb94fddf24aa3f4c3ff6a99af3a83c297faabdca38dfe7b9d0e4cf0f9153dcd7a

C:\Windows\System32\svchosts.exe

MD5 4060530bf60f50e248e3d865761d9468
SHA1 407f6b210b125159d02637487323610b50c612ea
SHA256 c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921
SHA512 78bf9894a2824f7c67d67e3ac85a10e63447f8e945680af2da6c8d614c5ae8fbb94fddf24aa3f4c3ff6a99af3a83c297faabdca38dfe7b9d0e4cf0f9153dcd7a

C:\Windows\System32\svchosts.exe.config

MD5 a2b76cea3a59fa9af5ea21ff68139c98
SHA1 35d76475e6a54c168f536e30206578babff58274
SHA256 f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512 b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

C:\Windows\System32\svchosts.exe

MD5 4060530bf60f50e248e3d865761d9468
SHA1 407f6b210b125159d02637487323610b50c612ea
SHA256 c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921
SHA512 78bf9894a2824f7c67d67e3ac85a10e63447f8e945680af2da6c8d614c5ae8fbb94fddf24aa3f4c3ff6a99af3a83c297faabdca38dfe7b9d0e4cf0f9153dcd7a

memory/1080-48-0x00007FFE47170000-0x00007FFE47C31000-memory.dmp

memory/4752-47-0x00007FFE47170000-0x00007FFE47C31000-memory.dmp

memory/4752-49-0x000001F225A10000-0x000001F225A20000-memory.dmp

memory/4752-50-0x000001F225C80000-0x000001F225CD8000-memory.dmp

memory/4752-51-0x000001F2259D0000-0x000001F2259E8000-memory.dmp

C:\Windows\System32\svchosts.exe

MD5 4060530bf60f50e248e3d865761d9468
SHA1 407f6b210b125159d02637487323610b50c612ea
SHA256 c7a771aedb642ed870b7931b02ee6e4e83abe3f5ce2996daecdd3f49adaa0921
SHA512 78bf9894a2824f7c67d67e3ac85a10e63447f8e945680af2da6c8d614c5ae8fbb94fddf24aa3f4c3ff6a99af3a83c297faabdca38dfe7b9d0e4cf0f9153dcd7a

memory/4752-53-0x000001F225FF0000-0x000001F2261B2000-memory.dmp

memory/4752-54-0x000001F225A00000-0x000001F225A10000-memory.dmp

memory/456-57-0x00007FFE47170000-0x00007FFE47C31000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

memory/456-65-0x000001CF758A0000-0x000001CF758B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe.config

MD5 740dde6369b1c855ea2f8e171fa888c8
SHA1 db3f1c7e5e4c087cf9eb02376fd750f1879f28f8
SHA256 e03c480b46464159387618445ca9fd9870b53e092e2278837f2d5a54daf06cae
SHA512 114607dcee4439e5e5c97ca986a65c8114a0e3f3c56f494ef6eaac9cb0f9ebf29b828aabc3100e4be197c94d54a7c26513942c56806bfb3bb0d3594ffef7458c

memory/2212-70-0x0000000000120000-0x0000000000128000-memory.dmp

memory/2212-71-0x00000000745A0000-0x0000000074D50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchostse.exe.log

MD5 4eaca4566b22b01cd3bc115b9b0b2196
SHA1 e743e0792c19f71740416e7b3c061d9f1336bf94
SHA256 34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512 bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

memory/2212-75-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/3136-76-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/3136-78-0x00000000745A0000-0x0000000074D50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

memory/2824-79-0x00000000745A0000-0x0000000074D50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

memory/2824-83-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/4024-84-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/3248-82-0x00007FFE47170000-0x00007FFE47C31000-memory.dmp

memory/456-85-0x00007FFE47170000-0x00007FFE47C31000-memory.dmp

memory/4024-86-0x00000000745A0000-0x0000000074D50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

memory/1812-88-0x00000000745A0000-0x0000000074D50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

memory/1812-91-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/3248-90-0x0000021FBFB80000-0x0000021FBFB90000-memory.dmp

memory/3980-92-0x00000000745A0000-0x0000000074D50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

memory/4752-95-0x00007FFE47170000-0x00007FFE47C31000-memory.dmp

memory/3980-94-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/3052-96-0x00000000745A0000-0x0000000074D50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

memory/4752-98-0x000001F225A10000-0x000001F225A20000-memory.dmp

memory/4680-100-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/3052-99-0x00000000745A0000-0x0000000074D50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

memory/4680-101-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/3900-103-0x00000000745A0000-0x0000000074D50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

memory/3900-105-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/1116-106-0x00000000745A0000-0x0000000074D50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

memory/1116-108-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/772-109-0x00000000745A0000-0x0000000074D50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

memory/772-111-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/2868-112-0x00000000745A0000-0x0000000074D50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

memory/2868-113-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/1916-115-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/1916-117-0x00000000745A0000-0x0000000074D50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

memory/436-118-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/436-120-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/4696-121-0x00000000745A0000-0x0000000074D50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

memory/4696-123-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/3944-124-0x00000000745A0000-0x0000000074D50000-memory.dmp

memory/3944-125-0x00000000745A0000-0x0000000074D50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

memory/5020-127-0x0000000074640000-0x0000000074DF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

memory/5020-129-0x0000000074640000-0x0000000074DF0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5

C:\Users\Admin\AppData\Local\Temp\svchostse.exe

MD5 8ace06702ec59d170ca2b31f95812e0f
SHA1 de36712adf9b67d0b4c99d12eb59361adfc5473f
SHA256 f74d37fae8e3fb82eff8d6acf755687d9fb38403c38512ad794f16d5b471ce45
SHA512 5d4dc9ad439f66a17f286800559f1ad13f798cf633eaa7319f41691f2d11a519cccab568e0dd2cadebe4258f51d760fab9ca67e7ecb6c97ff496c9308de6cec5